I already found some similar topics here but each has some own things and I wanted to investigate further.
I’m moving site from one VPS to another, the same system (Ubuntu 16.04), the same settings (sites in user directories) so paths should be identical.
DNS points to old VPS at the moment
On new VPS site is working, I copied all cert files (ssl.ca, ssl.cert, ssl.combined, ssl.csr, ssl.everything, ssl.key, ssl.newkey) that resided in ~/ to new VPS
On my computer my hosts file points to new VPS and site is encrypted but browser shows certificate as invalid
I need to be sure that when I change DNS to new VPS, certificate will work correctly (internet shop) so there would be no breakage for customers.
My questions are:
Will browser show certs as correct when DNS will point to it or do I have to do something extra?
Can I test certificate when DNS is pointing to another server, in another words, can I get “green padlock” when using hosts file so I could know I can safely move DNS A record to new server?
I red something about moving /etc/letsenrypt to new VPS, is it really necessary with the type of setup I have (cert files in user’s home)?
There was some DNS validation mentioned, a command?
./certbot-auto certonly --manual --preferred-challenges dns
I don’t want to do those steps just yet, because I don’t know what am I doing and what. In the past when I followed such advice it turned out it was not applicable to my situation and I just messed my configuration, so I want to confirm what needs to be done.
This is troubling... and indicates that something is no longer exactly the same.
It should show the same as your test - fail.
Yes, DNS is only used to identify where the host is - which you simply overrode that with your own DNS entry in the hosts file. The security is based on it having a cert that matches the name you seek and which is trusted all the way up to a trusted root.
That is recommended but I can't say I fully understand the setup you have.
How will you be doing certificate renewals?
That would only be necessary if you intended on getting a new cert on the new server before the IP points to it. But your path is to replicate the existing system and cert.
I'm using webmin/virtualmin and it's default settings for new virtual server, so basically a user is combined with a virtual server setting pointed to ~/public_html or further (like ~/public_html/wordpress). So each user/virtual server has own apache, php settings.
So if I understand correctly, in theory if everything is right, I should see proper padlock, but since I don't, I won't have it after moving DNS records as well, because test is failed somehow.
Is there a way to check what is failing?
I usually use virtualmin's gui to obtain certificates but that causing lot's of issues and I may have to do it from command line and I have it set to update automatically each two months. I can imagine that after moving, this function may fail if there are some differences.
I noticed something, which may help. I see difference on GUI side, and new VPS is showing that the cert is already being used and that is the problem. Here are screens.
So it does check that cert is used and it may suggest that after moving DNS records, it will work correctly or... not if the certs are somehow tied to old server's virtualmin.
Yes, if you can provide the IP of the new site I can check further.
I don't know enough about webmin/virtualmin to be useful.
But if the "already being use" is part of the problem then these two systems must be under the same webmin/virtualmin control and if that is the case, then getting a separate new cert (for the same exact names) would overcome that problem and is worth testing.
If they are under separate control, then the "already in use" means something else and probably just shows that you have used it elsewhere within that same system.
I decided to change my approach… because sometimes the site on a new server works well, sometimes it doesn’t and I am confused if’s not some cache thing. So instead doing it manually, I will backup and restore site with virtualmin migration tools and in theory, all should be fine. Will see if the cert work that way.
Nothing can be so simple… After restoring virtual servers apache2 and mysql failed. I can restart apache if I delete faulty configs from sites-available, but I cannot figure out what’s wrong with those configs, all seems to be ok, they work on old VPS. Maybe some php module is missing, but even if I delete the line that is supposedly the root of the problem, the same issue persists. Mysql is even harder to restore because since the process isn’t running, I can’t access it to correct it, I also have to work on raw files, which I have no idea about… So I couldn’t even go to the cert stuff.
Since my time is running out, I will resume server work in two weeks :(. Eh… At least sites are running on other server.
