Getting a cert before the DNS is moved


#1

I am going to move an existing domain from DreamHost to AWS. I have the site there and working but the DNS is not yet moved. As the DNS isnt there yet the certbot --apache command gives and error.

Is there a way to get it setup before the DNS is moved?


#2

Is there a way to get it setup before the DNS is moved?

Long story short, no there is not a way to do this because you cannot generate a key pair for an IP address.

I have the site there and working but the DNS is not yet moved.

I assume you mean that you have migrated the content of your site from DreamHost to AWS, but have not yet moved your DNS records.

DreamHost has a client plugin you can activate that will generate a Let’s Encrypt certificate for your site for the remaining duration that you’re on DreamHost.

As for taking that exact same cert to AWS, you should install your own client and generate a new key pair. That should all be possible once you’ve successfully migrated the DNS records to AWS.


#3

You can use DNS-01 validation, which means creating a TXT record for _acme-challenge.www.example.com. or whatever.

You can use HTTP-01, configuring your old web server to send an HTTP redirect for requests to /.well-known/acme-challenge/xxxxxxxx to your new server’s hostname.

You can use a manual HTTP-01 client, including Certbot’s manual mode, and just create the /.well-known/acme-challenge/ file on your old web server by hand.


#4

I was guessing that was the case. Thanks very much for your input.


#5

I think there’s some confusion about what you’re asking, but if you generate the certificate now using the old site (with HTTP-01) or using the hosting-independent DNS-01 method, you can copy the private key and certificate over to the new site, and they can be installed there before the DNS is actually pointed at the new site. Although the certificate can’t contain an IP address, it’s also not specific to an IP address, and you can use the same certificate on multiple servers at multiple IP addresses, whether or not DNS points at each one at a given moment. (Of course, the general public can only reach servers that the DNS is pointed at.)

So, I think both @pgporada and @mnordhoff are right, but it really depends on exactly what you’re trying to do.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.