Issue SSL certificate for staging site and move on to production

Hi Everyone. Let me start of by saying how much I appreciate everything the Let’s Encrypt community has done for encrypting the web for everyone!

I have the following situation I need some clarification on:

  1. I’m running a production site (old site) on a shared host with cpanel access. I’ve migrated to https and let’s encrypt a while ago and it works like a charm. It’s linked with my main domain, that has a good seo ranking, so I need to keep the domain and reroute it the new site.
  2. I’ve developed a new website on a VPS at GCP. I’ve made a subdomain to my main domain and DNS linked it to the development / staging site.
  3. My new site is now ready to go to production, which means I will change the DNS records to point to the IP address of the new VPS.
    What I’m not sure how to do is deploy the let’s encrpyt certbot to include the main domain on my new VPS.
    Do I first reroute the DNS and then deploy the certficate?
    Do I fist issue a certficate for the staging subdomain, then reroute the DNS and then change the certificate?

Any help is much appreciated!

Hi @matija.jezikovna

so you have a valide certificate (not outdated). The simplest idea:

Install this certificate on your new site (development). If you call your development-site, then you should see an error: mismatch. Your domainname is something like, your certificate has a name

But when you change your dns entry, then your domainname is the same - - no mismatch, the certificate is perfect.

Then, a few weeks later, create a new certificate.

If the intended hostname is exactly the same, you could copy the old certificate and private key from the old machine onto the new machine. While this won't configure it for automated renewal, it could allow the new machine to accept HTTPS connections with no error.

Alternatively, if your DNS provider supports an API for updates, you could use the DNS authentication method to get a certificate on the new machine even while the A record is pointed to the old machine.

Alternatively, if you can accept a brief outage, you could just change the A record to point at the new machine and then run a Let's Encrypt client like Certbot there to obtain a certificate there. You wouldn't have HTTPS support on the new machine until this process is complete.

Hi Schoen, and thanks for a fast reply.
I guess I’ll go with the third option you recommended as it will also provide certificate renewal with as little hassle as possible.

So to sum up:

  1. Redirect DNS to new site (just A record)
  2. Change DNS C name records to forward https requests back to http
  3. Install cert or and add auto renew cron jobs at new machine
  4. Fix c name records
  5. Fix WordPress databases from to

Please confirm this is the correct order, might be helpful for other users as well.

CNAME records are not protocol-specific, so this part doesn't make sense to me.

Actually, I'm kind of confused overall about what you're planning to do with subdomains. I first thought that you had a test version of your site at the same domain name that you plan to use for the site, but now I think from your reference to that this isn't true.

Hi Schoen,

sorry if that wasn’t clear.

And of course you’re right about the CNAME records, my mistake there.

So easiest would be to reroute DNS to the new IP and then use the Certbot to issue a new certificate with auto renewal setup there?

Yes, I think so. In this case you would have a brief outage (at least for the HTTPS version of the site).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.