Migration from plesk server to new one

Choppy · 2018-11-28 15:08:27 UTC

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Current one yes, new one no.

Hi,
I’ll be migrating a new version of a website from one server to another one. The current one is managed by plesk, the new one has been installed and configured by myself. I need to migrate the https certificates from the current one to the new one(I saw some topics here but i have some more questions).

Can i just do the install procedure of certbot directly on the new machine and then redirect the domain name to the new server ? Will that work fine without creating any conflicts with the old one ? I’m concerned about this to ensure users don’t get error messages.

P.s. The current server does not have a /etc/letsencrypt. I suppose this comes from an alternate installation method from plesk.

Thanks for your help !

JuergenAuer · 2018-11-28 15:25:16 UTC

Hi @Choppy

there is one problem: If you use http - 01 - validation, your dns A entry yourdomain -> your-ip must point to the new server. So users don’t see a certificate.

You can do another thing.

To create the first certificate on your new server, use --manual and --preferred-challenges dns. So the A-record is irrelevant. In 50 - 60 days, change that to --preferred-challenges http.

Using dns-01 - validation you have to create two dns txt entries

_acme-challenge.homunity.com
_acme-challenge.www.homunity.com

PS: You can also use the http 01 validation with the manual-option. And you can upload the validation file to your old server into /.well-known/acme-challenge.

The last idea: Find the public key and the private key in your existing plesk installation and copy these two files to your new server. Then you don’t need a Letsencrypt client today.

Choppy · 2018-11-28 15:35:18 UTC

Thanks a lot for your answer !

It still a bit blurry for me.

You mean, if i first redirect my domain name first, from the old one to the new one and then do the installation of certbot this will work ?

Else, for the last idea, what does the public and private keys names look like ? This might be my easiest option ?
I actually got these in my nginx vhost file :
ssl_certificate /opt/…ates/cert-46ht9T;
ssl_certificate_key /opt/…ates/cert-46ht9T;
ssl_client_certificate /opt/…ates/cert-Bc5YeY;
Are these the files i have to copy @JuergenAuer ?

JuergenAuer · 2018-11-28 16:22:26 UTC

You can do it. But if Certbot fails, your users don’t have a certificate. So you risk a downtime.

Yes, it’s the easiest option. Because you can use the same certificate with different servers. And your current certificate is valide. But Plesk has it’s own names. This

looks good. The ssl_certificate_key should be your private key. The “ssl_certificate” should be your public key.

Copy this file to windows and save it with the .crt - file extension. Then you should be able to open it - and see your valide certificate.

Or check the content. That should start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

Choppy · 2018-11-28 16:30:55 UTC

Thanks !

I got some new things. I found the folder corresponding to /etc/letsencrypt (see) and in this folder i got

accounts archive csr keys live renewal

In live I also got a folder of the vhost (homunity.com) and inside it i got

cert.pem chain.pem fullchain.pem privkey.pem README

Now if i copy these to the new server in /etc/letsencrypt it would be ok ?
Or should i preferably use the ones declared in the nginx vhost (ssl_certificate /opt/…ates/cert-46ht9T;) ?

JuergenAuer · 2018-11-28 16:34:30 UTC

These are the correct files.

Perhaps these are only symbolic links to the standard certbot folders.

You have found the correct files. So you can use these.

Choppy · 2018-11-28 16:37:06 UTC

Thanks a lot @JuergenAuer!! I’ll try this! Hope everything will be fine!

Choppy · 2018-11-28 16:54:09 UTC

Ah and another question. I just copied the files over. Does it matter if i install certbot before or after i make the domain name point to the new ip address ?

Also, i’m seeing this tutorial
I must do everything but not the

$ sudo certbot -a dns-plugin -i nginx -d “*.example.com” -d example.com --server https://acme-v02.api.letsencrypt.org/directory

Is that it ? Do i need to do anything for the nginx vhost or certbot will do it ?

JuergenAuer · 2018-11-28 17:40:48 UTC

This is irrelevant.

That starts the certificate request. You have your old certificate. So skip that step.

Do it, if your certificate is only 30 days valide.

Choppy · 2018-11-28 17:44:14 UTC

Should i do this : sudo certbot --nginx?

JuergenAuer · 2018-11-28 18:12:36 UTC

No. This starts the Certificate request too.

Choppy · 2018-11-28 18:18:37 UTC

Do i need to add the lines to the New nginx vhost ?

Thank you very much.

Choppy · 2018-11-29 17:55:15 UTC

Thank you @JuergenAuer, it worked as expected !