How do I migrate from Apache to nginx?

SomervilleTom · September 4, 2023, 5:15pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hoyo.zeetix.com

I ran this command: NA

It produced this output: NA

My web server is (include version): Apache/2.4.37 (rocky)

The operating system my web server runs on is (include version): Rocky Linux 8.8 (Green Obsidian)

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

I installed this certificate on Apache, and it's been working fine since then. I want to replace Apache with nginx. I don't see any recent topics in this community about how to do that.

Here is the current output from certbot certificates

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: hoyo.zeetix.com
    Serial Number: 40e2a0d0aa3c7a03eac74801d00b4a596d7
    Key Type: ECDSA
    Domains: hoyo.zeetix.com covid.hoyo.zeetix.com covid.tms.hoyo.zeetix.com gate.hoyo.zeetix.com gate.tms.hoyo.zeetix.com ses.hoyo.zeetix.com tms.hoyo.zeetix.com
    Expiry Date: 2023-10-04 00:02:09+00:00 (VALID: 29 days)
    Certificate Path: /etc/letsencrypt/live/hoyo.zeetix.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hoyo.zeetix.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My questions are:

I assume that I want to remove Apache, install nginx, and then do something with certbot. Is this the best order?
What do I do in order for certbot (or some tool) to adjust the nginx configuration to use my certificate?
Will my process for managing renewals continue unchanged?

Osiris · September 4, 2023, 5:37pm

You don't necessarily need to remove Apache. They can be installed next to each other perfectly fine. It's just you can't run both on the same ports at the same time.

My advice is to configure nginx to your liking while Apache is still running. You could even test nginx out on e.g. HTTP port 8080 while Apache is still running on port 80.

If your nginx is running fine (e.g. on port 8080) you could already install the certificate using the --nginx installer: sudo certbot install --nginx --cert-name hoyo.zeetix.com
You could even temporarily install the certificate on a port different than port 443, which is probably taken by the still running Apache. The command would be then e.g.:

sudo certbot install --nginx --cert-name hoyo.zeetix.com --https-port 80443

(Not sure if the HTTP to HTTPS redirect would also make sure the redirect is to that specific port though, but if not that would be a bug IMO.)

Then, if nginx is running nicely on ports 8080/80443 and Apache is still running on ports 80/443, you could do, in this order:

modify the nginx configuration and change the port 8080 to 80 (wherever it's mentioned) and port 80443 to 443 (wherever it's mentioned)
stop Apache
(re)start nginx

Note: I have absolutely no clue if your renewal configuration file is also updated by that install command though! Afterwards, you should check the contents of the file /etc/letsencrypt/renewal/hoyo.zeetix.com.conf and see what the value of the installer option is.

Bruce5051 · September 4, 2023, 5:45pm

To help in your migration from Apache to nginx here are some documentation links.

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

Here details on Apache can be found in documentation and forums:

Bruce5051 · September 4, 2023, 5:48pm

Also be sure to test your new nginx configuration using the Staging Environment before using the Production Environment.

Osiris · September 4, 2023, 6:05pm

OP already has a certificate they can use. No need to re-issue a new one and I'm not sure if a --dry-run (using the staging environment) would help with the migration: I'm not entirely sure it mentions something about the webserver.

Bruce5051 · September 4, 2023, 6:06pm

Fair enough!

SomervilleTom · September 4, 2023, 7:28pm

I appreciate this immediate and helpful response.

I'll try this, see what happens, and update this thread accordingly.

system · October 4, 2023, 7:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.