Migrating to new server

panganino · March 30, 2020, 1:19pm

I need to move it to a new server (Debian 8.11) keeping the same domain name and all existing URLs.

The website is set up properly on the new server, but before pointing the Domain name I have to set up the certificate.

I tried to create new certificate on the new server (via PLESK 18) but without success.

Here are the details of the error:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/3649241122.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching https://guideastuces.com/.well-known/acme-challenge/46cTvzzcIucP0YNA6UggnbW4xl6q85uS6TOiJKAUkmQ: Timeout during connect (likely firewall problem)

May be, I have to move my current certificate to the new server. If so can you show me how to do this ?

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine : Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): PLESK

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't know

9peppe · March 30, 2020, 1:24pm

can this help you?

https://support.plesk.com/hc/en-us/articles/360002205273-How-to-download-an-SSL-certificate-in-Plesk

you need fullchain and key.

alternatives include: switching the dns/ip and make new certs, using the dns-01 challenge instead. (does plesk support it?)

panganino · March 30, 2020, 1:52pm

Thank you for the link, but I don’t have Plesk in the old server.

About the 2nd option, can you explain please? This is the first time i do this

9peppe · March 30, 2020, 1:53pm

how are you managing certificates in the old server? you can import them into plesk, I think.

panganino · March 30, 2020, 2:26pm

Manually via ssh terminal

9peppe · March 30, 2020, 2:28pm

What acme client did you use? certbot? then you’ll find the files you need in /etc/letsencrypt/live

panganino · March 30, 2020, 2:44pm

Yes I have that folder :

Capture d’écran 2020-03-30 à 15.36.15

I go to Plesk->Add certificate but I don’t know witch files upload :

Capture d’écran 2020-03-30 à 15.40.14

9peppe · March 30, 2020, 2:54pm

*.key is key.pem

*.crt is fullchain.pem

and *-ca.crt you can omit it, if using fullchain. if you use cert.pem instead of fullchain, give chain.pem as the last file.

panganino · March 30, 2020, 3:03pm

Ok I uploaded key.pem and fullchain.pem. Now I have following message :

Information: The SSL / TLS certificate has been added. For this to work, assign the certificate to secure a domain, email address, or webmail.

9peppe · March 30, 2020, 3:05pm

you should add both certificates, I think. then I don’t know what plesk is talking about, it’s probably how it works with certs.

panganino · March 30, 2020, 3:42pm

is there any other way to do this ? or generate a new certificate for example ?

9peppe · March 30, 2020, 3:52pm

You can try and get a wildcard certificate via the plesk interface. This will force plesk to use the dns challenge and you’ll be able to get a new cert without changing the A/AAAA records, but I don’t know if it will be able to renew automatically.

(I hate control panels)

panganino · March 31, 2020, 8:30am

I tried to get a wildcard certificate via Plesk, but it failed.

https://guideastuces.com/.well-known/acme-challenge/A7ZEr4yOD2KPWZIUJu9nHV0OWFZPc0EiY4CFwgiiSWM: Timeout during connect

It make sense, because A/AAAA record of guideastuces.com point to the old server. Of course, I shouldn't change it before I fix certificate on the new server.

9peppe · March 31, 2020, 8:48am

it doesn't, wildcard certificates don't use A/AAAA records, only TXT ones. But plesk might be stupid enough to use dns-01 for *.example.com and http-01 for example.com (both are needed)

How much downtime are you comfortable with? Obtaining a certificate doesn't take a lot of time.

You can also obtain a certificate on the old server and upload it on the new one. Make sure to get all domains you need on one certificate (certbot certonly --cert-name newserver -d example.com -d www.example.com -d other.example.com)

panganino · March 31, 2020, 10:09am

Up to 3 hours.

I will try this option.

9peppe · March 31, 2020, 10:10am

then you can switch dns records and get certs on the new server (use short ttl in case you have to go back)

panganino · April 3, 2020, 6:14pm

In the end, it was an IPv6 address problem. I removed the AAAA records in the old server and the problem is gone.
Thank you, I really appreciate your help

system · May 3, 2020, 6:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.