Question : How to create new certificat for the same DNS hostname?
Situation :
Our current mail server has a LetsEncrypt valid Certificat.
It’s on a shared server (cpanel stuff).
We have installed a new mail server inhouse and also created certificat for this new server.
All server certificats are valid and installed.
I could just use this config but it would mean that I have to work on every computer worldwide to reconfigure the mail client to the new mail server. Nah! Nah! No way.
I did not create the cert for the old server (but have Private key access).
I would like to have a valid certificat for the same old hostname server (which I will update DNS IP to new server).
I ran this command: I tried to create a cert for mail.gentec-eo.com (letsencrypt-auto …)
It produced this output: it replied that I have no authority. I guess it’s right!
My web server is (include version): not sur for old server … CPanel? New Apache/Tomcat!
The operating system my web server runs on is (include version): old : CPanel? new ; Centos7
My hosting provider, if applicable, is: CPanel?
I can login to a root shell on my machine (yes or no, or I don’t know): old server : no. New : yes!
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): CPanel?
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know … but letsencrypt installation was done this summer 2019. And letsencrypt-auto --version does not work!
Question : How to create new certificat for the same DNS hostname?
I did not create the cert for the old server (but have Private key access).
You have the private key? It might be easier to just download the old certificate (it's freely provided by the server) and install it on the new server. However, there are multiple different file certificate file formats and ways servers present them, so it might be harder as well.
Do you need help with this?
Easy, but downtime possible
The easiest way is to just update the DNS record, then on the new machine request a new certificate. Obviously, there will be downtime between you taking down the old DNS record and when clients will start connecting to the new server. NOTE: DUE TO DNS RECORD PROPAGATION DELAY, CLIENTS MIGHT NOT KNOW SERVER MOVED UP TO 24 HRS AFTER YOU UPDATED THE IP. Therefore I strongly advise you to use the other method below.
More steps, but no downtime
The other solution is to issue a new certificate via other mechanism, via DNS challenge. Since you can update the IP (A or AAAA record), you should be able to create TXT record so will be able to pass the challenge. Note that this is a convenient way to issue certificate once and then I'd recommend setting up certbot for automatic renewal.
I still have reserve on the fact that the old server has a LetsEncrypt certificat still valid, but I would issue a certificat for the same DNS name! Doesn’t LetsEncrypt some sort of tempered/security situtation??!
Do I have to uninstall the certificat from CPanel prior to install cert for the same hostname?
You do not, you could issue 5 certificates with the exact same set of domain (hostnames) per week. (And if you are just copying the certificates from the old server to new server, that's even more fine lol)
When you are copying certificate from your old server, you are just moving the certificates to your new server. It's a temperory solution that would ensure visitors won't see a "website not secure" error when they connect to your new server.
What you actually need to do is: Before the old certificate expires (or after you are sure your site's IP address are updated globally), use certbot to issue a new certificate with exact set of domains you want to use, then configure it in your apache instance. The new certificate would renew automatically after you configure it correctly.
@geoptic Do you want to use the same private key or generate a new key? I would recommend changing the key for the sake of “informational hygiene”, unless you somehow need the old key (e.g., use Public Key Pinning which was deprecated in favor of CT).
If you want to use the same key, first I’d recommend first trying to download the certificate and trying to install it on the new server with the private key you already have. Look here. I can help you find the right file to download, if you need.
As I said, I recommend generating a new private key. You can generate one and obtain a new certificate via DNS challenge.
I will try the DNS Challenge and create new certificate. Downtime is not yet an issue as the new server is not yet in production stage! I want it to be painless for the users !
You never have a second change to make a first impression !!
Many thanks … If anything goes the wrong way … I’ll get back here for sure!!!
Just and update on this process.
I just created/updated our certificat with the DNS challenge option, and it did the trick !
So thanks, now I’ll have automatic renew with Route53 script/config!
