How to set up let's encrypt https after moving site to new server

I’ve moved a website from server A to server B, but the website on server A is using Let’s Encrypt (https), and now I don’t know the easiest way (or steps) to configure Let’s Encrypt on server B without downtime.

What is the best option? and how do I do it? I have to do this right away since the server A is having problems, so please help ASAP.

My domain is: pureinfotech.com

My web server is (include version): apache 2

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes,

install certbot and use it to get a new certificate. you must use dns validation, since you have no control over which server will respond to an http validation request.


edit: I did tell you to add a second A record to your dns. That’s only to avoid downtime when you switch the first server off. It’s not needed to get a certificate with dns validation.

1 Like

Or, @mhweb can copy the certificates from the original server and use that temporarily. Then after everything are migrated, run any acme client and obtain certificate.

P.S. steps included:

  1. Copy Let’s Encrypt certificates from the original server.
  2. Copy all websites & their certificates onto the new server.
  3. Configure your web server correctly.
  4. After everything went well, remove the previous server’s DNS records and obtain new certificates on the new server.
  5. Modify virtualhost and reload the web server.
1 Like

Ok the way I understand is to leave the current DNS records as they are, and create another A record with the IP address of the new server, so that the DNS records will have two A records one for the old server and one for the new server, and this process will do the DNS validation, correct?

Then, on the new server, I can simply run the certbot --apache command to set things up.

Then I should be able to access the new server via https, make sure it’s working, and then I can remove the old server A record?

Thanks,

NO.

If you add a second A record, clients will connect at random to both servers, so you want to be sure they are both ready before doing this.

On the new server you cannot run certbot --apache while the old one is active, or validation will default to http and fail because only one server is validating.

The command you should run is certbot --apache --preferred-challenges=dns


What you should do is:

  • get the new server ready and with certs (either copy them off the old server as @stevenzhu said or get new ones via dns validation)
  • add a second A/AAAA record and reduce TTL on all other A/AAAA records.
  • remove old server’s A/AAAA records.
  • wait for the old TTL to expire
  • turn off old server

(edit/2: I rearranged the order of operations, it makes more sense now.)

1 Like

How to I do the dns validation on server B when the website on server A is running?

DNS validation is completely independent from whatever servers are running, you could even do it without any servers running. It’s done by adding a TXT record in your DNS panel.

OK, so I have to add a TXT record to the DNS panel, and then run certbot --apache --preferred-challenges=dns command in the server B where the new site is located?

Certbot will ask you to put a very specific TXT record in the DNS panel, yes.

Steps:

  1. in the terminal, run command certbot --apache --preferred-challenges=dns .
  2. Certbot will provide information to create a TXT record: Value, Hostaname, and TTL.
  3. Open domain DNS panel and I create the TXT record.

Will I be adding the TXT record the domain name already configured in the DNS panel that is configured for the old server?

Thanks,

Yes you will be.
However, this might not be the way you want to proceed. Because this way will not allow you to renew the certificate automatically unless you’ve configured a script that would add/remove/update the required records automatically.

Please consider using HTTP based validation if you don’t know your DNS provider and/or ACME client support this feature.

Thank you

Please read here: https://letsencrypt.org/docs/challenge-types/

It should be on host _acme-challenge.<YOUR_DOMAIN>

And yes, once your server is reachable via its proper fqdn please move to http validation.

1 Like

Technically, you would recommend doing the moving certificate process, right?

I’ve never done the moving, so I’m trying to figure things out. Do you think this guide could help me with the steps to do this process: https://ivanderevianko.com/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server

If yes, the only thing I wouldn’t know how to do is “Point domain to the new server”, the guide shows it with nginx, and I’m using apache2.

Thanks,

Don’t worry about this, the guide is only telling nginx where the certificate and key are. Apache documentation has a good tutorial on that: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Or you can ask Mozilla: https://ssl-config.mozilla.org/

@9peppe @stevenzhu instead of going through this process, could I just update the DNS settings to point to the new server, letting propage (deal with some downtime), and then from the terminal run the certbot --apache to configure Let’s Encrypt?

Thanks,

Yeah, you could.

Downtime would probably be minutes (depending on your A record TTL), but will be longer for people that get a cached response from their DNSs.

If something goes wrong, will switching the DNS settings back to the old server should work? I mean, will the certification still work on the old server?

Thanks,

The certificate will still work on the old server, however you clients might have issue using your websites, which means the downtime will be more unpredictable.

If you want to, you can install certbot and apache by package manager and try to copy the whole apache folder and /etc/letsencrypt/ folder to the new server, which (theoretically) would copy all files you needed and configure virtualhosts just like the old server.
(If you want to do this, please do this before switching any DNS records to new server)

Certificates are independent of each other, but, you know, I am not too comfortable juggling servers in production like this.

Can’t you just use scp to move certs from one server to the other? A very useful option is -3, allows you to be the middle point while moving stuff between two remote machines.

1 Like

Can SFTP to the old server, download the letsencrypt folder, upload its content to the letsencrypt folder in the new server?

After moving the folder, what other steps I need to follow?

Thanks,