the Situation:
one main Domain with servral subdomain, registered in DNS to an FailOverIP (FOIP),
Actual Production Server (Server1) is configured to the FOIP, letsencrypt is standard install with certbot apache, works fine.
for switching to new ubuntu version, i prepared a second Server (Server2), but i have no idea how to get the letencrypt thing done.
My Goal is:
that i can switch Server1 to Server2 without having a long downtime, or have to switch back, because of having trouble with ssl certificates.
Solution?
i googled, found no or old information. is my config so special or is the solution so easy?
Is Server2 to be used only temporarily while Server1 is upgraded?
If that is the case, then you can just copy the privkey.pem and fullchain.pem from Server1 to Server2 for the duration of the upgrade. You can configure Server2’s Apache to use that private key and certificate file, without having to install Certbot.
the flow should be:
server1 actual production, should go away, end of life
server2 actual new system, should get productive soon, so the renew process must work on server2
so there would be a short time, where both are kept alive, when server2 works fine, server1 get shutdown.
In that scenario, I would first manually copy the certificate in order to prepare Server2 for live traffic.
Then, once Server2 is actively serving traffic for the domain, you can install Certbot and setup automatic issuance and renewal.
This would not be disruptive to live traffic, since the transition from manually copied certificate to Certbot-managed certificate does not require any downtime (just a few graceful Apache reloads).
Some people may suggest to just copy all of /etc/letsencrypt/ to your new server, but if it is going to be a different OS version or Certbot version, I would advise caution in that approach.
Can you show the letsencrypt.log file?
I'm not certain if it can renew a cert which it only has the live folder for.
What does certbot certificates
show?
changed vhost with http redirect to https
started cartbot --apache -d all domains
getting new certs but it registered the old live entries and give following error message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: domain.com-0001
Domains: domain.com ...
Expiry Date: 2019-05-06 09:51:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.com-0001/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/domain.com.conf