Renew or issue new certificate?

jzed · November 26, 2022, 7:47am

Currently our ssl certificate is installed on IIS web server and will expire on next week, we are planning to migrate the web server from IIS web server to centos apache web server, what command do i need to run, do i need to issue a new certificate or is it renewal process?

rg305 · November 26, 2022, 8:44am

Hi @jzed, and welcome to the LE community forum

You will have to install an ACME client compatible with your version of CentOS [to automate the renewal process].
If you want to run the new web server immediately upon the change, you will have to export/import the certificate in advance.
If you are not too concerned with a bit of downtime, you can run the ACME client once the change is made and allow CentOS to obtain its' own certificate.

Osiris · November 26, 2022, 8:58am

The term "renewal" or "renewing" is actually dependend on the context. E.g., for the Let's Encrypt ACME server, a "renewal" is any newly issued certificate with an identical set of hostnames (order doesn't matter) in the SAN extension. (I'm not sure but I think RSA vs. ECDSA would matter to.) It doesn't matter to the Let's Encrypt server if that first certificate was on the North Pole and the newly issued certificate on Antartica: it does not know that and it doesn't care.

However, for an ACME client, "renewing" is getting a new certificate for an already issued certificate by that same ACME client. If a different ACME client would issue a certificate with the same set of hostnames, the first ACME client wouldn't know about it, and wouldn't think the cert had been renewed.

So context, as usual, matters.

jzed · November 26, 2022, 11:04am

This is our plan:

Install new apache web server in centos7 and transfer all files to that server; configure vhost file; configure firewall.
Install certbot utility on centos7
Then on DNS registry change the public ip address to point to the new apache web server
Decommission the existing IIS web server
On the centos7 server, obtain new ssl certificate using certbot command (ex.sudo certbot --apache -d example.com)
Or can i renew ssl certificate in advance using certbot renew --force-renewal?

Do I need to get the old ssl certificate from the IIS Web server first? Did i miss something? Thanks

jzed · November 26, 2022, 11:08am

Can i use certbot command instead?

Osiris · November 26, 2022, 11:09am

I would recommend to first learn the basics and read documentation before making up commands you don't understand.

jzed · November 26, 2022, 11:19am

Im a bit confuse because i have an existing iis web server using ssl letsencrypt then suddenly will use centos apache web server.

jzed · November 26, 2022, 11:23am

Can i renew ssl certificate on new centos7 server using certbot command? What is the differece between the acme and certbot command is there any advantage and disadvantage using acme?

Osiris · November 26, 2022, 11:24am

ACME is the name of the protocol used by Let's Encrypt and thus all ACME clients like Certbot.

Please please please read some basics such as How It Works - Let's Encrypt. That makes discussing your proposal much easier.

rg305 · November 26, 2022, 6:53pm

Certbot is an ACME client [one of many].

If the CentOS has no cert, then it can't renew one.
It can get a new one [once the IP has been changed to point to it].
As mentioned:

[again: The "ACME client" is in your given case going to be Certbot]

jzed · November 27, 2022, 8:06am

Just want to ask if im using snap install --classic certbot, do i need configure the renewal because i found 2 files in /etc/systemd/system directory - snap.certbot.renew.service and snap.certbot.renew.timer?

Osiris · November 27, 2022, 8:59am

What do you mean by "configure the renewal"? If you mean: "does Certbot periodically attempt to renew the certs known to Certbot" then everything should be good to go already, no extra configuration necessary.

However, I'm still not convinced you have a firm grasp of how Let's Encrypt actually works: you do realise Certbot can only renew certs that are actually known to it, right? It cannot magically renew certs that are only known to other ACME clients.

jzed · November 27, 2022, 9:34am

Yes, i have basic knowledge on how it works

jzed · November 27, 2022, 11:09am

What i mean is do i need to configure cron job to automate the renewal of ssl certificates?

danb35 · November 27, 2022, 11:16am

Did this statement by Osiris not answer this question?

everything should be good to go already, no extra configuration necessary.

jzed · November 27, 2022, 12:22pm

Thanks danb35 and Osiris

jzed · November 28, 2022, 6:50am

so it means renewal let's encrypt is automatically scheduled by default if we use snap?

webprofusion · November 29, 2022, 4:36am

Another method worth mentioning to use DNS validation (which creates a temporary TXT record in your DNS to prove you control the domain) on your CentOS server instead of using http domain validation. That way you don't have to wait for the DNS switchover to the new machine, you can get new your certificate any time even while DNS still points to the old server. This is also good for testing before you go live on the new server (you can point your local machine 'hosts' file at the new IP to test in a browser).

It largely depends on who your DNS provider is, whether they have an API that's supports by a dns plugin etc, but it's a good way to have service portability.

system · December 29, 2022, 4:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.