I have two servers A & B. Right now my domain point towards A server. I want to switch the domain to B server. Can we install the SSL certificates before i point it towards the B server? This is to avoid downtime. Is this possible?
Yes.
1 Like
Note that if you use an ACME client like Certbot, you usually won't be able to get the new certificate in an automated way on the new machine before the DNS record is updated to point to it. That's not because obtaining a certificate on the new machine is impossible or against CA policy or something. It's just because the automation methods usually use an inbound connection from the CA to the server.
If you're using Certbot, you could use --manual to have Certbot prompt you for the instructions from the CA. With HTTP-01 validation, you would create the indicated validation files on the old server because that's where the CA will check when performing the validation step!
This won't enable automated renewal of the new certificate, but it will allow you to switch over with no downtime, as you asked for.
Alternatively, you could copy the existing certificate and key files onto the new server. They are valid and will work in a new machine and don't have to be installed on only one machine at a time. There, again, copying the certificate and key files by themselves will probably not enable automated certificate renewal on the new server.
1 Like
Please make sure you only copy your private key with a secure method, such as scp.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.