Hi,
currently I have setup my domain for desec.io (domain.dedyn.io) with their hook script - working fine, autorenewal working in combo with a prosody server.
In addition to that I wanted to setup a certficate for a new domain (domain.org) - not hosted/belonging to desec.io - all with certbot
(plan is to switch from domain.dedyn.io to domain.org)
Q:
Can this run within one certbot comand / do I need to enhance "old" one or do I need a second run, if so, seperatly or combined? Don't wanna mess certs for domain/prosody
OR
Fresh / new setup of certbot to server only the new domain.org? (then, howto disable automatic renewal for domain.dedyn.io)?
Hi @un99known99 and Welcome to the community..
IMHO simple is usually the best solution.
Configure your NEW domain with a fresh new certbot and obtain a fresh new cert.
disable/remove your OLD cron or system timer (whatever) and allow the old cert to expire with dignity
You could make it complicated if you want to. I recommend that you keep it simple.
EDIT: You will get an email from LE warning of the impending cert expiration of the OLD cert.
So if I understand correctly, both sites are hosted on different machines?
I.e.: your domain.dedyn.io site is hosted by desec.io? And your new domain is going to be hosted somewhere else entirely?
In that case I'm sure you'd want to retire your hosting at desec.io at some point, right? Maybe have a redirect in place for a certain time? That redirect should also use or at least be reachable through HTTPS. And when your site at desec.io is being canceled, wouldn't that also stop their certificate renewal? (I'm not sure what desec.io is exactly, so maybe I'm missing something here..)
I would like to switch my prosody instance (and other stuff) from domain.dedyn.io to domain.org, therefore I would like to use the same certbot running on the machine but retire the renewal of domain.dedyn.io AND enable new cert + renewal for domain.org (retiring gracefully renewal of domain.dedyn.io), so all in all it should kind of change in certbot
Would that work out or how could it be reshened? @Osiris same machine
I would just add a new certificate for your new domain and if you're ready to drop support for the old domain (e.g., no redirect necessary any longer, DNS name removed entirely, virtualhost in the webserver for the old domain removed et cetera) you can just remove the certificate from the older domain name from certbot.
Getting a wildcard certificate means you need to use the dns-01 challenge type (see Challenge Types - Let's Encrypt about the different challenge types). This is usually a little bit more difficult to implement, depending on your DNS provider. See User Guide — Certbot 1.21.0.dev0 documentation for DNS plugins available to certbot. Other ACME clients could offer different and/or more DNS plugins, such as acme.sh.
But in essence, adding a new certificate with new hostnames is done by just running certbot again like you did before, but now with the options specifically for your new certificate (such as a different authentication plugin).