Renew certs from another server


#1

I have no problems with the certificates, i’ve used letsencrypt for a while and it’s a nice tool.
My question it’s about “one” how to.

my scenario is.
I had a web placed on a server SSL certified (1 domain and 4 subdomains) by letsencrypt with no problems, renews ok … perfect.
But we have moved this website into a AWS High Availability environment separating those services in 5 servers having now 5 different fqdn, one fore ach service. We’ve just copied the .pem files into AWS to get them work.

The old server it’s now a staging server for the website but it has all the certbot, certificates and letsencrypt files, configs …

So, i would like to renew that certificates from this server, which has different DNS name, i’m trying to do it using certonly -webroot -manual and --dry-run (testing mode) but i cannot get it to work.

i have not much clear which is the process to do a renewal like this.

I will appreciate some guidance, the countdown is here.

Alejandro


#2

Hi @aladme

normally, this should not be a problem. Your server has one name - but the -d - options can have the same or completely other names.

So there must be other errors. The main problem I see: If you use http-01, then your staging server must copy the challenge file to your correct server.


#3

Hi,

Extending @JuergenAuer’s response.

The renew should be a issue in your case. Since your website has already moved to other servers. (I assume domains are moved too) , you are using certbot certonly -webroot (which will place a file on your staging server and assuming your domain also moved, the file will not be presented on the machine let’s encrypt actually connect to)… you might need to consider using certbot certonly --preferred-challenge DNS (using DNS challenges to add a txt record).

In short, your domain has moved to other server, initicging webroot challenges on staging server will not pass the challenge files to your production server, hense the validation will always fail.

Thank you


#4

As @stevenzhu says, the HTTP-01 challenge used by --webroot will try to connect to the server that the DNS name is pointed to. However if the server is not the same server that Certbot is running on, Certbot doesn’t know how to create the files necessary to satisfy the challenge on a different machine.

In addition to @stevenzhu’s helpful suggestion of switching to the DNS challenge (which probably means using, or delegating the _acme-challenge DNS record to, a server that has an API that you can use to make DNS changes), you could consider using the GetSSL (or maybe acme.sh?) client, which has a “remote webroot” concept.


#5

Thanks to all for your responses, i’ve got it finally. I was doing a stupid mistake writting “-manual” instead of “–manual”.

so, i’ve finally got the renewal of my certs from another server with different dns with the following command:

sudo certbot -d domain.com,subdomain1.domain.com,subdomain2.domain.com --manual --preferred-challenges dns certonly

Thanks a lot!


#6

Great! Remember that you will need to rerun this same command in order to renew your certificates in the future, because --manual doesn’t support automated renewal.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.