How to Upgrade Server, for on Domain


#1

Hi,

i’m trying to find information for my problem.

the Situation:
one main Domain with servral subdomain, registered in DNS to an FailOverIP (FOIP),
Actual Production Server (Server1) is configured to the FOIP, letsencrypt is standard install with certbot apache, works fine.
for switching to new ubuntu version, i prepared a second Server (Server2), but i have no idea how to get the letencrypt thing done.

My Goal is:
that i can switch Server1 to Server2 without having a long downtime, or have to switch back, because of having trouble with ssl certificates.

Solution?
i googled, found no or old information. is my config so special or is the solution so easy? :slight_smile:

any hints?


#2

Is Server2 to be used only temporarily while Server1 is upgraded?

If that is the case, then you can just copy the privkey.pem and fullchain.pem from Server1 to Server2 for the duration of the upgrade. You can configure Server2’s Apache to use that private key and certificate file, without having to install Certbot.


#3

thanks for your reply,

the flow should be:
server1 actual production, should go away, end of life
server2 actual new system, should get productive soon, so the renew process must work on server2

so there would be a short time, where both are kept alive, when server2 works fine, server1 get shutdown.


#4

In that scenario, I would first manually copy the certificate in order to prepare Server2 for live traffic.

Then, once Server2 is actively serving traffic for the domain, you can install Certbot and setup automatic issuance and renewal.

This would not be disruptive to live traffic, since the transition from manually copied certificate to Certbot-managed certificate does not require any downtime (just a few graceful Apache reloads).

Some people may suggest to just copy all of /etc/letsencrypt/ to your new server, but if it is going to be a different OS version or Certbot version, I would advise caution in that approach.


#5

Ok,

now some news.

i copied /etc/letsencrypt/live to my new server.
the apache configs are the same, so starting the server, ssl works

installed certbot in this way
add-apt-repository ppa:certbot/certbot
apt install python-certbot-apache

the test
certbot renew --dry-run

was without errors, so i hope that its working, when its time to renew.


#6

Can you show the letsencrypt.log file?
I’m not certain if it can renew a cert which it only has the live folder for.
What does
certbot certificates
show?


#7

ok here the answers from certbot renew --dry-run

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

No renewals were attempted.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencrapt.log

2019-02-04 17:19:33,087:DEBUG:certbot.main:certbot version: 0.28.0
2019-02-04 17:19:33,088:DEBUG:certbot.main:Arguments: ['--dry-run']
2019-02-04 17:19:33,089:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-04 17:19:33,096:DEBUG:certbot.log:Root logging level set at 20
2019-02-04 17:19:33,097:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-04 17:19:33,098:DEBUG:certbot.renewal:no renewal failures

certbot cetificates shows

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certs found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

so necessary copy full /etc/letsencrypt folder?


#8

I don’t know about that…

As I had thought.

Not really.
You could easier just get all new certs (and with less chance of introducing “problems”).


#9

ok, next dry.

changed vhost with http redirect to https
started cartbot --apache -d all domains
getting new certs but it registered the old live entries and give following error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error:    renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
    Certificate Name: domain.com-0001
    Domains: domain.com ...
    Expiry Date: 2019-05-06 09:51:43+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domain.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain.com-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/domain.com.conf

can i delete the

/etc/letsencrypt/renewal/domain.com.conf

to fix it? or still leave it?


#10

Don’t delete anything manually.
Try:
certbot certificates
then
certbot delete --cert-name [the name of the cert you want to delete]

then get a new one.