Migrating to new server

My domain is: guideastuces.com

I need to move it to a new server (Debian 8.11) keeping the same domain name and all existing URLs.

The website is set up properly on the new server, but before pointing the Domain name I have to set up the certificate.

I tried to create new certificate on the new server (via PLESK 18) but without success.

Here are the details of the error:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/3649241122.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching https://guideastuces.com/.well-known/acme-challenge/46cTvzzcIucP0YNA6UggnbW4xl6q85uS6TOiJKAUkmQ: Timeout during connect (likely firewall problem)

May be, I have to move my current certificate to the new server. If so can you show me how to do this ?

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine : Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): PLESK

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know

can this help you?

https://support.plesk.com/hc/en-us/articles/360002205273-How-to-download-an-SSL-certificate-in-Plesk

you need fullchain and key.


alternatives include: switching the dns/ip and make new certs, using the dns-01 challenge instead. (does plesk support it?)

Thank you for the link, but I don’t have Plesk in the old server.

About the 2nd option, can you explain please? This is the first time i do this :confused:

how are you managing certificates in the old server? you can import them into plesk, I think.

Manually via ssh terminal

What acme client did you use? certbot? then you’ll find the files you need in /etc/letsencrypt/live

Yes I have that folder :

Capture d’écran 2020-03-30 à 15.36.15

I go to Plesk->Add certificate but I don’t know witch files upload :

Capture d’écran 2020-03-30 à 15.40.14

*.key is key.pem

*.crt is fullchain.pem

and *-ca.crt you can omit it, if using fullchain. if you use cert.pem instead of fullchain, give chain.pem as the last file.

Ok I uploaded key.pem and fullchain.pem. Now I have following message :

Information: The SSL / TLS certificate has been added. For this to work, assign the certificate to secure a domain, email address, or webmail.

you should add both certificates, I think. then I don’t know what plesk is talking about, it’s probably how it works with certs.

:confused:
is there any other way to do this ? or generate a new certificate for example ?

You can try and get a wildcard certificate via the plesk interface. This will force plesk to use the dns challenge and you’ll be able to get a new cert without changing the A/AAAA records, but I don’t know if it will be able to renew automatically.

(I hate control panels)

I tried to get a wildcard certificate via Plesk, but it failed.

https://guideastuces.com/.well-known/acme-challenge/A7ZEr4yOD2KPWZIUJu9nHV0OWFZPc0EiY4CFwgiiSWM: Timeout during connect

It make sense, because A/AAAA record of guideastuces.com point to the old server. Of course, I shouldn’t change it before I fix certificate on the new server.

it doesn’t, wildcard certificates don’t use A/AAAA records, only TXT ones. But plesk might be stupid enough to use dns-01 for *.example.com and http-01 for example.com (both are needed)

How much downtime are you comfortable with? Obtaining a certificate doesn’t take a lot of time.

You can also obtain a certificate on the old server and upload it on the new one. Make sure to get all domains you need on one certificate (certbot certonly --cert-name newserver -d example.com -d www.example.com -d other.example.com)

Up to 3 hours.

I will try this option.

then you can switch dns records and get certs on the new server (use short ttl in case you have to go back)

In the end, it was an IPv6 address problem. I removed the AAAA records in the old server and the problem is gone.
Thank you, I really appreciate your help :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.