I am planning to move a LE-protected web site to a new server and I’d like some feedback whether the way I propose below is fine, in particular I wonder if there are any problems to be expected with the certificate request process.
-
Initially, Server A is running the www.example.com, both http and https. The http version mostly (i.e., except for some weird clients) redirects to https. Also note that HSTS is employed.
-
Prepare server B (server software, web server [Apache], static data, database etc.). However, do not redirect http to https. Test server B by faking DNS locally.
-
(Re)activate the http to https redirection on server B. But on port 443, do not run Apache but instead use xinetd to forward all TCP connections to server A.
-
Update DNS so that www.example.com points to server B instead of server A from now on. Everybody already picking up the new DNS should connect to server B port 443 (possibly after redirection from port 80) and via xinetd actually talk to server A, so be served the original content properly encrypted with the original server A key. And of course so does everybody who still uses old DNS data.
-
Wait for DNS change to propagate completely (depending on TTL).
-
On server B, request a new Let’ Encrypt certificate. In the process, checks will be made against server B (because DNS now says so) over port 80 and the expected content under http://www.example.com/.well-known/acme-challenge--- is correctly served.
-
Now having a valid cert on server B, we can turn off the xinetd redirection and let the webserver handle port 443.
A minor problem is that during 3, server A thinks that a growing number of clients seem to connect from server B instead of from around the globe, but that should not matter.
Of course, during the whole transition phase, all “editing” activity on the site should be stopped. While this needs to be communicated to a few places in-house, there is fortunately almost no activity with side-effects on the site from users (only newsletter subscription)
But what I am unsure about and want to address specifically on this forum: Does it pose any problem that during phase 5, server B only responds to port 80 whereas it does not for port 443 (or rather, it looks like doing so, but the responses actually come from server A)?
(Perhaps I should add that I have no option of e.g. extracting the private key from server A)