Moving a from one LAMP server to another, will change DNS a record to new IP. What’s simplest, most seamless way to handle certbot? Ideally https works on both servers for a day or two while DNS propagates. I have the contents of /etc/letsencrypt/ from the live current webserver. From what I’m reading, I can just copy the /live, /archive, and /renewal folders over to the new server?
Is there a solid way to test this before actually changing the domain name’s A record to point to the new server’s IP address?
I believe you need to copy the full contents of /etc/letsencrypt, since most directories are important (such as /accounts).
I don’t think there’s a huge danger of bad things happening, as long as the time until expiration on your active certificate(s) is relatively long (>14 days or something).
Step 1. Copy /etc/letsencrypt to newserver from oldserver
Step 2. Get webserver on newserver serving the existing/old certificate(s) from /etc/letsencrypt
Step 3. Point the domain to newserver at any time from this point.
Step 4. Disable cron task on oldserver
Step 5. Enable cron task on newserver
Step 6. Wait for renewal errors or success on newserver, use your remaining time until expiry to fix any renewal issues.
It sounds like there can be problems if you copy over everything in the /letsencrypt folder. Instead the recommendation seems to be just copying the contents of those specific folders.
I was able to get it to work just copying the contents of live/ and archive/–but the renewal process is not going to work. Can I just run certbot again on the new server?
Why? If you don't copy the /accounts folder, how could certbot renew any certificate then? Each certificate is bound to an account.
You could also just start from scratch and reissue each certificate on the new server. This will not affect any previously issued certificate on the old server.