How create multiple certs so I can load AWS EC2 backup on different public dns


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: peerpowerinc.com

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.22.2

I am using AWS EC2. I create backups of my site regularly as AWS amazon machine images (AMI).
Before I had installed ssl certificates via Let’s Encrypt, I could launch a backup AMI as a new AWS EC2 instance and after changing a setting or two could load my backup at the AWS public dns, for example ec2-XX-YY-ZZ-123.compute-1.amazonaws.com and my backed up site would load. But now that I have letsencrypt certificates installed when I try to follow the same process I did before having certs installed browser shows “site can’t be reached” error and apache error log has error like:
“server certificate does NOT include an ID which matches the server name”.

I am hoping I can add a subdomain cert like dev.peerpowerinc.com to my production server, then make a backup of that server. Launch new AWS instance of backup AMI. Get temporary public dns address of new instance. Add A record set to Route53 where I assign dev.peerpowerinc.com to temporary public dns address of new instance.

  1. Is this possible?
  2. Any steps on how to do that?
  3. Would I have to create new virtual host for dev.peerpowerinc.com as well on production server before backing up?
  4. I am hoping once I add dev.peerpowerinc.com cert to production and then create backup, the only thing I would have to update is DNS record of where dev.peerpowerinc.com points to load a backup - is that right?
    Thanks in advance.
    -Michael

#2

Since you are hosting your domain with Route53, one way to dodge all of the complications is to use the certbot-dns-route53 plugin : https://certbot-dns-route53.readthedocs.io/en/latest/

As long as you assign your instances the right IAM role, any instance launched from that AMI would be able to issue or renew certificates for dev.peerpowerinc.com (regardless of where the subdomain currently points).


#3

Another path would be to use a wildcard cert.
The backup could then take any other name from that same zone and work immediately.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.