Install LE on test server before making the site live


#1

I’m transfering a site to a new server and in order for the site to work correctly, it needs an ssl.

I need this ssl to work before the site is live so there is no interruption with the sites service.

How can I do this? When I try to install the cert, of course it’s letting me know I’m unauthorized because the site is live on another server.


#2

The simpltest option for a one-time migration like that is probably the manual plugin, which you could run on the new server, and which allows you to upload the verification files to your old server so that the ownership validation succeeds.

A neat trick you could also try would be to make your new server available at something like new.example.com, and have your existing web server redirect all requestes for the path /.well-known/acme-challenge/* to http://new.example.com/.well-known/acme-challenge/*, using a 301 redirect. Then you can simply use the webroot or standalone plugin to request the certificate on the new server. You’re probably better off with the manual plugin in this case, unless you’re going to have to go through this process repeatedly.


#3

Thanks pfg,

I’m going to try the manual plugin. I checked the link for the manual plugin but I’m not sure how it works, is there a step by step tutorial somewhere for this?


#4

The syntax for the manual plugin is not all that different from other plugins. The installation instructions specific to your OS on the certbot homepage should help you get the client installed, and the simplest version of using the manual plugin is basically:

./certbot-auto certonly --manual -d example.com

Where example.com is your domain. The client will do its thing, and pause when it’s time to perform the domain validation, asking you to upload certain files on the old server. Once you’ve done that, the client will tell Let’s Encrypt to go ahead and check the files are present, and if that works, you get your certificates.

Were you planning on using the automatic certificate installation/configuration that’s available for apache? There might be a way to get this working with the manual plugin as well - if you’re looking for that kind of solution, I’ll try to test this and provide some instructions. Otherwise, the command above should do. :wink:


#5

Awesome. Yes, I was trying to do this with apache’s first but moved to certbot. So I’ll try certbot first with this command and let you know what happens.


#6

I’ve entered the command and I’m getting this:

Make sure your web server displays the following content at
http://www.signa.com/.well-known/acme-challenge/#### before continuing:

###acme-challenge-key###

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" ###acme-challenge-key### > .well-known/acme-challenge/###
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 

so, I need to put this file on my old host, correct? It’s shared hosting, so I’ll need to create a file through cpanel under a new directory /tmp/certbot/public_html/.well-known/acme-challenge ? How should I make this file?


#7

In my old host, I’ve created a txt file inside /public_html/.well-known/acme-challenge/ with the #### filename key, and inside that file, I put the ###acme-challenge-key###

I saved both keys for both domains and continued. I got this message:

Failed authorization procedure. signa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error reading HTTP response body: net/http: request canceled (Client.Timeout exceeded while reading body), www.signa.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.signa.com/.well-known/acme-challenge/Wt052esDhv0mvN4fvaUAmjSi9vGMsU579ssgPGvLJtA: "<!DOCTYPE html>
    <!--[if lte IE 9 ]><html class="ie lt-ie9" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]-->
    <!--[if (gt"

    IMPORTANT NOTES:
     - The following errors were reported by the server:

       Domain: signa.com
       Type:   unauthorized
       Detail: Error reading HTTP response body: net/http: request
       canceled (Client.Timeout exceeded while reading body)

       Domain: www.signa.com
       Type:   unauthorized
       Detail: Invalid response from
       http://www.signa.com/.well-known/acme-challenge/Wt052esDhv0mvN4fvaUAmjSi9vGMsU579ssgPGvLJtA:
       "<!DOCTYPE html>
       <!--[if lte IE 9 ]><html class="ie lt-ie9" lang="en-US" prefix="og:
       http://ogp.me/ns#"> <![endif]-->
       <!--[if (gt"

       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address.

#8

I’m not sure what went wrong with signa.com there (maybe a temporary problem, looks like a timeout).

www.signa.com does not seem to serve the challenge token at http://www.signa.com/.well-known/acme-challenge/Wt052esDhv0mvN4fvaUAmjSi9vGMsU579ssgPGvLJtA, but rather a generic “not found” page.

The /tmp/certbot/public_html/.well-known/acme-challenge path from the manual plugin output is just a suggestion in case you do not have an existing web server for that domain. Since you do have one, you’ll want to upload this file under the document root of your existing web server - basically the directory you upload files to when you want to serve them. In the end, they need to be available at http://www.signa.com/.well-known/acme-challenge/{random}. The best way to test this is put a file called “test” with some random content in that directory and try browsing there with your browser (that’s essentially what Let’s Encrypt does, automatically).

In case you already uploaded the file to the right directory, .htaccess files are a common problem - make sure that there are no rewrite rules that might redirect the request internally and prevent the file from being served.

Note that the challenge token is going to change when you try running certbot again.


#9

Thanks for your help pfg!

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.signa.com/fullchain.pem. Your cert will
   expire on 2016-10-04. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I was using an extension of .txt at the end of the keys which was causing the problem. So I retried without the extension and it’s working.

How can I test this certificate before making the site live? I’ve got my local host file set up to view my test site. I’m getting an: ERR_SSL_PROTOCOL_ERROR when I try to view the site. Is something configured incorrectly or do I need to have the site live to work?


#10

Your web browser will expect the name on the certificate to match the name in the URL it was trying to fetch

So you should be able to test without the site being “live” but you need to arrange (e.g. by editing the “hosts” file if you know how to do that) for the browser doing the testing to reach the not yet live site when you type in a URL for the site named in the certificate so that names match.

The ERR_SSL_PROTOCOL_ERROR suggests something else is wrong though, it might be at your end, or it might be the server setup. You will need to figure that part out first before trying to ensure the names match.


#11

The configuration depends a bit on your server software and version. Mozilla’s SSL Configuration generator is generally a good starting point if you want to do things manually.

Alternatively, you can still use the apache installer that’s included with certbot now that you have a certificate. To do that, simply run:

./certbot-auto install --cert-path /etc/letsencrypt/live/www.signa.com/fullchain.pem --key-path /etc/letsencrypt/live/www.signa.com/privkey.pem

Or if you’re running an apache version < 2.4.8 (use apache2 -v if you’re not sure):

./certbot-auto install --cert-path /etc/letsencrypt/live/www.signa.com/cert.pem --key-path /etc/letsencrypt/live/www.signa.com/privkey.pem --chain-path /etc/letsencrypt/live/www.signa.com/chain.pem

This will automatically configure SSL in apache for you.


#12

pfg, that did it.

Awesome instructions. The test site is working with ssl, thank you so much!


#13

Glad it worked! Once you finish the migration and the new server is live, I would recommend requesting a new certificate using the apache plugin once somewhere within the next 2 months (following the apache instruction on certbot’s homepage, the existing certificate will just be replaced) in order to move your renewal configuration away from the manual plugin, which cannot run automatically (obviously :smile:). This will allow you to use the recommended ./certbot-auto renew command to renew after that (more details in the docs as well).


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.