I’ve moved a website from server A to server B, but the website on server A is using Let’s Encrypt (https), and now I don’t know the easiest way (or steps) to configure Let’s Encrypt on server B without downtime.
What is the best option? and how do I do it? I have to do this right away since the server A is having problems, so please help ASAP.
install certbot and use it to get a new certificate. you must use dns validation, since you have no control over which server will respond to an http validation request.
edit: I did tell you to add a second A record to your dns. That’s only to avoid downtime when you switch the first server off. It’s not needed to get a certificate with dns validation.
Or, @mhweb can copy the certificates from the original server and use that temporarily. Then after everything are migrated, run any acme client and obtain certificate.
P.S. steps included:
Copy Let’s Encrypt certificates from the original server.
Copy all websites & their certificates onto the new server.
Configure your web server correctly.
After everything went well, remove the previous server’s DNS records and obtain new certificates on the new server.
Ok the way I understand is to leave the current DNS records as they are, and create another A record with the IP address of the new server, so that the DNS records will have two A records one for the old server and one for the new server, and this process will do the DNS validation, correct?
Then, on the new server, I can simply run the certbot --apache command to set things up.
Then I should be able to access the new server via https, make sure it’s working, and then I can remove the old server A record?
If you add a second A record, clients will connect at random to both servers, so you want to be sure they are both ready before doing this.
On the new server you cannot run certbot --apache while the old one is active, or validation will default to http and fail because only one server is validating.
The command you should run is certbot --apache --preferred-challenges=dns
What you should do is:
get the new server ready and with certs (either copy them off the old server as @stevenzhu said or get new ones via dns validation)
add a second A/AAAA record and reduce TTL on all other A/AAAA records.
remove old server’s A/AAAA records.
wait for the old TTL to expire
turn off old server
(edit/2: I rearranged the order of operations, it makes more sense now.)
DNS validation is completely independent from whatever servers are running, you could even do it without any servers running. It’s done by adding a TXT record in your DNS panel.
OK, so I have to add a TXT record to the DNS panel, and then run certbot --apache --preferred-challenges=dns command in the server B where the new site is located?
Yes you will be.
However, this might not be the way you want to proceed. Because this way will not allow you to renew the certificate automatically unless you've configured a script that would add/remove/update the required records automatically.
Please consider using HTTP based validation if you don't know your DNS provider and/or ACME client support this feature.
@9peppe@stevenzhu instead of going through this process, could I just update the DNS settings to point to the new server, letting propage (deal with some downtime), and then from the terminal run the certbot --apache to configure Let’s Encrypt?
If something goes wrong, will switching the DNS settings back to the old server should work? I mean, will the certification still work on the old server?
The certificate will still work on the old server, however you clients might have issue using your websites, which means the downtime will be more unpredictable.
If you want to, you can install certbot and apache by package manager and try to copy the whole apache folder and /etc/letsencrypt/ folder to the new server, which (theoretically) would copy all files you needed and configure virtualhosts just like the old server.
(If you want to do this, please do this before switching any DNS records to new server)
Certificates are independent of each other, but, you know, I am not too comfortable juggling servers in production like this.
Can’t you just use scp to move certs from one server to the other? A very useful option is -3, allows you to be the middle point while moving stuff between two remote machines.