Migrate servers by changing DNS and generate new certificates

I'm trying to migrate from my current Windows 2016 server to a new Windows 2019 server. On my old server I've used winacme to generate the let's encrypt certificates.
So I've been looking at: win-acme

My question now is simple:

What if I don't follow these steps, but rather just point DNS settings from my old to my new server. Then on my new server I generate the let's encrypt certificates (basically ignoring my old server), will that work WITHOUT requiring all the migration steps above OR the need to invalidate the certificates that were generated on the old server?

(I understand that my site might be down temporarily as I make this change. But I want to know if it'll work as to me it's faster than all these migration steps that are error prone imho)

Many thanks ahead!

Hi @peter4, and welcome to the LE community forum :slight_smile:

You really don't need to do anything with or about the old server and any certs therein.
So, yes, you can (withstanding the inherent HTTPS downtime) migrate to the new server "from scratch".

3 Likes

Wow, ultrafast reply! Thank you so much! I'll start trying that now :smiley:
And sorry for not being clear, I was referring to the migration steps shown here win-acme

1 Like

Oh sorry, 1 more question: so it's possible to have Let's encrypt certificates on 2 different servers, I can jsut point my DNS to the one I want and there will be no conflict? I thought maybe Let's Encrypt was tracking all certificates centrally and would block certificates for the same domain being active on 2 different machines/IPs, but I guess not?

1 Like

Yes, actually up to five separate and exact certs can be issued (within the same weeks time).
Then it starts to LIMIT you.

1 Like

Nope, as soon as the certificate is issued, Let's Encrypt stops knowing anything about whether or how or where you use it! (This sometimes confuses people when they get renewal warnings, because they may have changed the domains covered by the old certificate, but Let's Encrypt doesn't know whether that meant that they stopped using the old one or not, as opposed to using both on different machines. So the renewal warning e-mail is sent in this case and some people are confused because they think "well, obviously I'm using the new certificate in place of the old one"—but Let's Encrypt has no way to know this!)

Assuming you are using http validation the biggest issue will be waiting for DNS to point to your new server so you can go ahead and continue to request/renew certs again.

You could optionally export the PFX for each certificate and import it onto the new server, then manually create all your https bindings or script them, if you do so they should ideally be exactly the same config as your existing server, usually hostnames set, SNI checked and IP (All Unassigned). That way you don't have to worry about getting win-acme all setup and running until after your sites are back up and working normally.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.