I am using an email server with integrated support for Let's Encrypt (IceWarp). I am currently in the process of a migration and want to get the certificates installed and configured before I do the final migration of users and data. The new server is in a DMZ environment and the current production email server is up and running. The question is, how can I validate the certs on my new server without taking the current production server offline? If I change and DNS entries or route those external IPs to the new environment, I will end up taking the production environment offline. IS there no other way to validate domain ownership?
Also: This email platform doesn't really give me easy access to the CSR. It does not use Certbot.
Rephrasing @Osiris response: The easiest way is to just copy over the Certificates and Private Keys. A fallback option is to use DNS-01.
Having done many Email Service Provider migrations though, I want to offer this bit of advice:
Many people find it beneficial to create two new DNS entries for a given domain (example.com): mail-new.example.com and mail-old.example.com before the switchover. This allows users to connect to both systems during the DNS propagation if neded, or allows the new server to pull mail off the old server. Even with a 0 TTL, there are often layers of DNS record caching that can serve the old domain for 24-72 hours.
Usually what I do is this:
Set up mail-old and mail-new mail domains and SSL certificates.
Copy mail certificate from the old system to the new one if recently renewed. Otherwise, renew on old then copy to new.
Copy over mail from old to new
Switch over DNS for mail from old to new.
Set up new server for renewal; disable old server's renewal.
Corporate: Have a cron script migrate mail for several days
Personal: Check old system for a few days
The ACME protocol does not utilize CSRs as traditionally used. With most ACME clients – and in most situations – you do not want to submit or extract a CSR.