Hi Everyone. Let me start of by saying how much I appreciate everything the Let’s Encrypt community has done for encrypting the web for everyone!
I have the following situation I need some clarification on:
I’m running a production site (old site) on a shared host with cpanel access. I’ve migrated to https and let’s encrypt a while ago and it works like a charm. It’s linked with my main domain, that has a good seo ranking, so I need to keep the domain and reroute it the new site.
I’ve developed a new website on a VPS at GCP. I’ve made a subdomain to my main domain and DNS linked it to the development / staging site.
My new site is now ready to go to production, which means I will change the DNS records to point to the IP address of the new VPS.
What I’m not sure how to do is deploy the let’s encrpyt certbot to include the main domain on my new VPS.
Do I first reroute the DNS and then deploy the certficate?
Do I fist issue a certficate for the staging subdomain, then reroute the DNS and then change the certificate?
so you have a valide certificate (not outdated). The simplest idea:
Install this certificate on your new site (development). If you call your development-site, then you should see an error: mismatch. Your domainname is something like development.yourwebsite.com, your certificate has a name www.yourwebsite.com
But when you change your dns entry, then your domainname is the same - www.yourwebsite.com - no mismatch, the certificate is perfect.
Then, a few weeks later, create a new certificate.
If the intended hostname is exactly the same, you could copy the old certificate and private key from the old machine onto the new machine. While this won't configure it for automated renewal, it could allow the new machine to accept HTTPS connections with no error.
Alternatively, if your DNS provider supports an API for updates, you could use the DNS authentication method to get a certificate on the new machine even while the A record is pointed to the old machine.
Alternatively, if you can accept a brief outage, you could just change the A record to point at the new machine and then run a Let's Encrypt client like Certbot there to obtain a certificate there. You wouldn't have HTTPS support on the new machine until this process is complete.
Hi Schoen, and thanks for a fast reply.
I guess I’ll go with the third option you recommended as it will also provide certificate renewal with as little hassle as possible.
So to sum up:
Redirect DNS to new site (just A record)
Change DNS C name records to forward https requests back to http
Install cert or and add auto renew cron jobs at new machine
CNAME records are not protocol-specific, so this part doesn't make sense to me.
Actually, I'm kind of confused overall about what you're planning to do with subdomains. I first thought that you had a test version of your site at the same domain name that you plan to use for the site, but now I think from your reference to subdomain.maindomain.com that this isn't true.