Move to new webserver: Re-use old cert one or get a new cert?

Hi,

One of our webservers has to move from one department of my organization to another department, which makes a new installation necessary, and the new server will also have a different DNS record. The certificate on the old server was obtained with certbot and also the new server will have certbot. However, the new server runs on a new version of Apache (2.4 instead of 2.2) and also uses a different Linux (CentOS 8 instead of Debian). We plan to connect the new server to the Internet and change the DNS record next week. The current certiifcate is still valid for 10 days and I have full access to the /etc/letsencrypt directory.

I looked around on this forum and it seems there are two options. The first option is to move move the existing certificate to the new webserver as described e.g. here: Move to another server Is the information still accurate and up do date?

The second option is to install a fresh certificate from scratch. I'd somehow prefer the second option since the current certificate was installed by a colleague who left my orgnaization already and I also think that this is probably the cleaner solution since there are some differences in the setup (e.g. the virtual host settings). Is there anything I need to pay attention to when installing a new certificate on the new server?

2 Likes

The second option is way better.

There may be some HTTPS "down time" while you change IPs in DNS and get the new cert.
Otherwise, business as usual.

3 Likes

It's not a big problem when HTTPS is not working for a couple of days. So that means I prepare already everything, i.e. install mod_ssl, certbot, etc, and then after the new server is connected to the Internet and the DNS record has been changed I wait a few days and then I can request a new certificate in the straightforward way?

2 Likes

As soon as you change the DNS, you can request a new cert on the new server.
[as soon as the DNS change propagates to all authoritative DNS servers]

2 Likes

Thanks for the info! So that means I will not face any problems because there still exists a valid certiifcate for my domain?

3 Likes

Only if you already have 5 certificates with the exact same set of names.
Or like 50 new ones from the same domain that were recently issued.

One to one is no problem.

2 Likes

Thank you very much for your quick help!

3 Likes

Cheers from Miami :beers:

2 Likes