Getting certificate in place prior to migrating domains to new server

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
iron.holtain.net,spotty-dog.co.uk,www.spotty-dog.co.uk,holtain.net,update.holtain.net,www.holtain.net,fullbore.co.uk,holtain.co.uk,test.holtain.co.uk,www.holtain.co.uk,mw0nre.co.uk,mw0sml.co.uk,mc0sml.co.uk,photos.niamh.org.uk,fullbore.com,photos.fullbore.com,fullbore.co.uk,www.fullbore.co.uk,www.fullbore.com,anthropometer.uk,www.anthropometer.uk,anthropometer.co.uk,www.anthropometer.co.uk,anthropometer.com,www.anthropometer.com,anthropometer.net,www.anthropometer.net,stadiometer.co.uk,www.stadiometer.co.uk,4x4cymru.co.uk,www.4x4cymru.co.uk

I ran this command:
certbot certonly --cert-name iron.holtain.net -d iron.holtain.net,spotty-dog.co.uk,www.spotty-dog.co.uk,holtain.net,update.holtain.net,www.holtain.net,fullbore.co.uk,holtain.co.uk,test.holtain.co.uk,www.holtain.co.uk,mw0nre.co.uk,mw0sml.co.uk,mc0sml.co.uk,photos.niamh.org.uk,fullbore.com,photos.fullbore.com,fullbore.co.uk,www.fullbore.co.uk,www.fullbore.com,anthropometer.uk,www.anthropometer.uk,anthropometer.co.uk,www.anthropometer.co.uk,anthropometer.com,www.anthropometer.com,anthropometer.net,www.anthropometer.net,stadiometer.co.uk,www.stadiometer.co.uk,4x4cymru.co.uk,www.4x4cymru.co.uk --dry-run1
It produced this output:
How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2

You are updating certificate iron.holtain.net to include new domain(s):

You are also removing previously included domain(s):
(None)

Did you intend to make this change?

(U)pdate certificate/(C)ancel: u
Simulating renewal of an existing certificate for iron.holtain.net and 29 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: 4x4cymru.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://4x4cymru.co.uk/.well-known/acme-challenge/c5_4hhCVX_WjAqNZebYNL7YJSoZaAOQttrBNZ-S2-_k: 404

Domain: anthropometer.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/cVWikeIIxF_CjVcwxbMBhBLrLhQxLpLdQqx2vAIOBhU: 404

Domain: anthropometer.com
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/O8rJSItV1pf5ZWf4gPEHCLXpOCi9Pw4kRf2ZPbOBw1M: 404

Domain: anthropometer.net
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/7lb3pPkgWTT0aUYMWXkbodNL6gsWheil5VarrICo3s4: 404

Domain: anthropometer.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/9Z3sFoYbRXkD_2Qh6FSPSLjU1clZqebkEo93nFr5jsQ: 404

Domain: fullbore.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://fullbore.co.uk/.well-known/acme-challenge/ttv7mS36RXVPuMPoS3zo1zy1OuU3eE8QlILXWAy0I0k: 404

Domain: fullbore.com
Type: unauthorized
Detail: 217.146.107.39: Invalid response from http://fullbore.com/.well-known/acme-challenge/i2yNVbLr6XilGefOm88CUAkexe82QU6xkHIlDsF7A-4: 404

Domain: holtain.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/VOOsx1BN8JGnoe0JESYvb8UVjkDXeDsG_DJrzmB3n-g: 404

Domain: holtain.net
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.net/.well-known/acme-challenge/bxeRYWgf7bO1uOtRiSTBmdGAkAl2Xh9AprOwcvA-UhY: 404

Domain: mc0sml.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://mc0sml.co.uk/.well-known/acme-challenge/IyTUQq_ABQeyXLEvM29vxCGbAsG8OBVZ3qu68cfAOCE: 404

Domain: mw0nre.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://mw0nre.co.uk/.well-known/acme-challenge/yL3MloIcaGnUKprGdnPaLA3LOagUcTuwjURzvn04aE4: 404

Domain: mw0sml.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://mw0sml.co.uk/.well-known/acme-challenge/VEs9OMqltfWHGMLoM8aAZbb3dj7bsdlPVrETbm8O6xY: 404

Domain: photos.fullbore.com
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/5lh6IVkErwzx8brr3huDidFgGZqa6e4HATm2zCHsVo0: 404

Domain: photos.niamh.org.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/6zG2ZIj21W4Iss6oyKyf2nG7tA8Z2XVyUu5B_5JgEG4: 404

Domain: spotty-dog.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://spotty-dog.co.uk/.well-known/acme-challenge/VkIWw2Q8Ap_sPXoHEulJ0HHmksC6819PT6qE20R5qOI: 404

Domain: stadiometer.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/h-bQl3dsoSbWz55FRKmnWgJOP-17wPdEgvRyuDhlYdw: 404

Domain: test.holtain.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/vEtMdkDnocAOrdURSJHeOcyYNJuFMAMp3DcCcp7NXf4: 404

Domain: update.holtain.net
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://update.holtain.net/.well-known/acme-challenge/D2bJ3_W36k9ezMZpMYTUscssNeMtmQ-IXIbLnaQLXhg: 404

Domain: www.4x4cymru.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://4x4cymru.co.uk/.well-known/acme-challenge/CRYXB6HThfnrhZ7BQf9YEQawcQiY1tnKFwC6WzbM5qk: 404

Domain: www.anthropometer.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/S2PXz5IiTP-2mMD6K8f6xXDoBGriGhxW3o3QjA4UoSI: 404

Domain: www.anthropometer.com
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/EVw3jucNSzuqksynfI2oEMnxXOioF1I69demOFyFR58: 404

Domain: www.anthropometer.net
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/2GgdG8prZXHO-Sk1e4IPjpqsN7s9U3VIV4EBoZ54JJQ: 404

Domain: www.anthropometer.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/g6wI-dvKEEk7e6qsfl04DzD2PACzkrCfZGsn1MYvSsI: 404

Domain: www.fullbore.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://fullbore.co.uk/.well-known/acme-challenge/ZeC5dRf56MQCpFuwrhLhWdCMPpn-L1GX_xyVVQhlalg: 404

Domain: www.fullbore.com
Type: unauthorized
Detail: 217.146.107.39: Invalid response from http://www.fullbore.com/.well-known/acme-challenge/iU4UvGsBi6vvjoZchv_j2UiVPE9R_0DzKLhjgnEa7ME: 404

Domain: www.holtain.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/VLDAMXkzN8PTQsWOqYJFA9Aa87X9fbPmuYvQmrbja-w: 404

Domain: www.holtain.net
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.net/.well-known/acme-challenge/o3AhQ5HuF-B0w5a0IDXhs11qD-w0Dn2vhgTH7houf1E: 404

Domain: www.spotty-dog.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://spotty-dog.co.uk/.well-known/acme-challenge/KQAKssWsHRNbm_v_TqZsysqx7RMeO-UtHKTi7XcdHUk: 404

Domain: www.stadiometer.co.uk
Type: unauthorized
Detail: 217.146.107.39: Invalid response from https://holtain.co.uk/.well-known/acme-challenge/mPriewTocWQ_XFuShF4cFaWEvaNZHKjZVeOOq_TTnog: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
The operating system my web server runs on is (include version):
CentOS 9
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.11.0

2

when I visit your website this answers:
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.27

that's centos 7ish version: are you sure DNS is pointing right machine?

2 Likes
3

DNS is certainly pointing to the live server, it's getting the certificate in place for all those domains on the new server that's the issue.

4

is that live server and new server same thing?

2 Likes
5

I see you're running your own DNS servers ns1.holtain.net. and dns.holtain.net..

Maybe you could use the certbot-dns-rfc2136 plugin with those nameservers (assuming you have control over them and they support RFC2136 [nsupdate uses that protocol too]) to leverage the dns-01 challenge. That way you don't have to deal with the http-01 challenge going to the old IP address.

2 Likes
6

No, live is at potassium.holtain.net new is iron.holtain.net

7

I seem to recall that this would cause issues running certbot renew?

8

Why?

You're probably mistaking running the dns-01 with an actual DNS plugin (such as the one I'm suggesting) with running dns-01 completely manual. The latter is a problem with automated renewals, the former is not.

Besides, if you'd like, you could always switch to the http-01 challenge once the DNS settings are all migrated to the new server.

2 Likes
9

Could you copy the entire /etc/letsencrypt/ directory structure, including symlinks, to the new server? Then once it is fully tested and you switch the public DNS to point all those domains to the new server you can get your certbot renew working

4 Likes
10

I could, but the certificate for potassium.holtain.net (current live server) doesn't include iron.holtain.net (the new server name).

Could I temporarily change the dns for iron.holtain.net to the live server and generate the certificate there then copy it over and change the dns back?

Or ewould that cause issues with certbot renew on what is currently the live server, but I think I could work round that by doing a certbot renew first... maybe

11

Sure. The IP in the public DNS is where Let's Encrypt connects to prove control with the HTTP Challenge. You do not need to wait for TTL propagation as LE looks directly at the DNS authoritative servers. There is no "memory" of the IP you got your initial cert from that affects any "renew".

I noticed you used Standalone. Which requires your webserver to be down as it needs exclusive use of port 80. Once you have Apache working the --apache or --webroot options likely better.

You could also consider using separate certs rather than one large one. A single cert with many domain names is often harder to manage.

4 Likes
12

Only because .var/www/html hasn't been populated yet

13

If that is your DocumentRoot Apache (probably) won't start if it does not exist. It doesn't need to be "full" - just exist. I am pretty sure Apache at least warns about "missing" DocumentRoot and possibly will fail to start.

For --webroot the --webroot-path just has to exist. Certbot will create/delete the challenge token files as needed.

For --apache it will setup the challenge folder for you. If you don't want it to configure your Apache too (and in your case probably not) use the format:
sudo cerbot certonly --apache -d ...

2 Likes
14

FWIW, rsync works pretty well for this type of migration due to the design of the /etc/letsencrypt directory.

4 Likes
15

Thaanks everyone got a certificate on the new server for all the domains.

Changed the dns for iron.holtain.net to the old server, created the certificate and copied it over then changed the dns back.

https://www.ssllabs.com/ssltest/analyze.html?d=iron.holtain.net

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.