I am on debian and I am migrating my VPS running apache server to an another IP with a new hostname.
On the old server in sites-available oldHostname-le-ssl.conf has been generated by certbot based on oldHostname.conf and contains:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/oldHostname/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/oldHostname/privkey.pem
What is the correct procedure to adapt the cerificate for the new hostname ?
just ignore old server existence and get a new certifiacte
The topic says "moving hostname" and "new hostname".
Are you going to have two hostnames in the new server?
Hi Rudy,
I'm going to have a new server c/o new provider and on this new server I will have only one hostname (kreator.ch) which for now is attached to the server which is going to disappear.
It is my production server which means that if I miss something or do something wrong during the migration night I will be very inconfortable.
In other words any detailed procedure is very welcome.
As far as I remember the way I generated the certificate for kreator.ch was the following:
I run certbot --apache
The process
What will I have to do exactly for the migration ?
Kind regards.
The most concerning procedure of this kind of migration is correctly copying the entire web site.
Obtaining a new certificate is the simplest way to secure the site in the new server.
What I have is not a static web site but web application running apache tomcat with a database being permanently updated.
So, in my case, the copy is not feasible.
By the way the app is already deployed and runs with a temporary hostname kreatort.ch.
All I need is th have a new certificate for the final hostname kreator.ch
Will certbot delete kreator.ch, followed by certbot --apache do the job ?
And how long time will take the propagation process ?
I would NOT delete the previous certificate before it's not used any longer. So keep it around for the time being.
Thanks for the warning. That's exactly my worry. I will need the certificate for kreator.ch for my web app migrated to new server. How to do it ?
Depends if you require absolutely zero downtime or you can spare a few minutes without a certificate. It also depends on which challenge type you can use. E.g., the http-01 (which is used by the Certbot --apache plugin) is usually used with the IP address already pointing to the server trying to get the certificate. But the dns-01 challenge could be used even if the IP address is still pointing to the old server, so no downtime at the changeover. But the dns-01 challenge is harder to automate. Although you could use the dns-01 challenge manually once (with the --manual plugin) before the switchover and change Certbot to use the --apache plugin for substantial renewals.
An outline of another approach is to manually adjust the VirtualHost for startup and then work to setup Certbot. Roughly, ...
Copy fullchain.pem and privkey.pem from your old server to the new one. Place them in a unique folder location accessible to Apache. Change the Apache VirtualHost to point to these two files.
Copy /etc/letsencrypt/options-ssl-apache.conf to that same location and update the VirtualHost include statement accordingly.
When you change the DNS to your new server it should start just fine. You can test this before switching the DNS by just using the IP address (https://IP) of your new server. You will get a warning from a browser about incorrect cert but you can view the cert to make sure it is the right one (or use a tool like this SSL Checker).
Once it is stable, setup Certbot fresh on your new system. You may need to manually update the VirtualHost again to point to the Certbot generated certs and the include statement. The manual adjustments depend on the Certbot method used.
I can afford 1-2 hours downtime.
Would the following procedure work i.e. will it:
a) generate fullchain.pem and privkey.pem
b) create kreator.ch-le-ssl.conf adding:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/kreator.ch/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kreator.ch/privkey.pem
Stop old server
Change DNS
Create on the new server in /etc/apache2/sites-available kreator.ch with following content:
<VirtualHost *:80>
ServerName kreator.ch
ServerAlias www.kreator.ch
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/kreator.ch-error.log
CustomLog ${APACHE_LOG_DIR}/kreator.ch-access.log combined
JkMount /* ajp13_worker
JkUnMount /.well-known/acme-challenge/* *
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Run certbot --apache
I'm still not understanding completely.
Where is the database?
How is the new server going to get to that database?
Sorry for not being understandable.
Database is on the server. The server, new and old, access's the database via apache -> tomcat servlets.
Hi Mike,
May I kindly ask your opinion regarding the procedure I plan to use?
It's 10/13 right below your post.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.