Moving hostname from one VPS to another with another IP and new hostname

I am on debian and I am migrating my VPS running apache server to an another IP with a new hostname.
On the old server in sites-available oldHostname-le-ssl.conf has been generated by certbot based on oldHostname.conf and contains:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/oldHostname/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/oldHostname/privkey.pem

What is the correct procedure to adapt the cerificate for the new hostname ?

just ignore old server existence and get a new certifiacte


The topic says "moving hostname" and "new hostname".
Are you going to have two hostnames in the new server?


Hi Rudy,

I'm going to have a new server c/o new provider and on this new server I will have only one hostname ( which for now is attached to the server which is going to disappear.
It is my production server which means that if I miss something or do something wrong during the migration night I will be very inconfortable.
In other words any detailed procedure is very welcome.
As far as I remember the way I generated the certificate for was the following:
I run certbot --apache
The process

  1. generated fullchain.pem and fullchain.pem in /etc/letsencrypt/archive/
  2. created /etc/apache2/sites-available/ based on adding:
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

What will I have to do exactly for the migration ?

Kind regards.

1 Like

The most concerning procedure of this kind of migration is correctly copying the entire web site.
Obtaining a new certificate is the simplest way to secure the site in the new server.

1 Like

What I have is not a static web site but web application running apache tomcat with a database being permanently updated.
So, in my case, the copy is not feasible.
By the way the app is already deployed and runs with a temporary hostname
All I need is th have a new certificate for the final hostname
Will certbot delete, followed by certbot --apache do the job ?
And how long time will take the propagation process ?

I would NOT delete the previous certificate before it's not used any longer. So keep it around for the time being.


Thanks for the warning. That's exactly my worry. I will need the certificate for for my web app migrated to new server. How to do it ?

Depends if you require absolutely zero downtime or you can spare a few minutes without a certificate. It also depends on which challenge type you can use. E.g., the http-01 (which is used by the Certbot --apache plugin) is usually used with the IP address already pointing to the server trying to get the certificate. But the dns-01 challenge could be used even if the IP address is still pointing to the old server, so no downtime at the changeover. But the dns-01 challenge is harder to automate. Although you could use the dns-01 challenge manually once (with the --manual plugin) before the switchover and change Certbot to use the --apache plugin for substantial renewals.

1 Like

An outline of another approach is to manually adjust the VirtualHost for startup and then work to setup Certbot. Roughly, ...

Copy fullchain.pem and privkey.pem from your old server to the new one. Place them in a unique folder location accessible to Apache. Change the Apache VirtualHost to point to these two files.

Copy /etc/letsencrypt/options-ssl-apache.conf to that same location and update the VirtualHost include statement accordingly.

When you change the DNS to your new server it should start just fine. You can test this before switching the DNS by just using the IP address (https://IP) of your new server. You will get a warning from a browser about incorrect cert but you can view the cert to make sure it is the right one (or use a tool like this SSL Checker).

Once it is stable, setup Certbot fresh on your new system. You may need to manually update the VirtualHost again to point to the Certbot generated certs and the include statement. The manual adjustments depend on the Certbot method used.


I can afford 1-2 hours downtime.
Would the following procedure work i.e. will it:
a) generate fullchain.pem and privkey.pem
b) create adding:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

  1. Stop old server

  2. Change DNS

  3. Create on the new server in /etc/apache2/sites-available with following content:
    <VirtualHost *:80>

    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/
    CustomLog ${APACHE_LOG_DIR}/ combined

    JkMount /* ajp13_worker
    JkUnMount /.well-known/acme-challenge/* *

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

  4. Run certbot --apache

I'm still not understanding completely.
Where is the database?
How is the new server going to get to that database?


Sorry for not being understandable.
Database is on the server. The server, new and old, access's the database via apache -> tomcat servlets.

1 Like

Hi Mike,
May I kindly ask your opinion regarding the procedure I plan to use?
It's 10/13 right below your post.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.