Server Changed and DNS mapped with New IP

Hello Team,

We replaced our Ubuntu 14.04 machine with Ubuntu 20.04 and DNS is mapped with the New Server IP i,e Ubuntu 20.04.

We copied the old certs on new machine and it was working fine. But now the certs are near to expire.

So we want to renew the certs. We installed the certbot on Ubuntu 20.04 machine. But how we can renew the cert on this machine? Because the certificats are not available on this machine?

Do we need to create the certs again?

Can you please help us how we can renew without intruptting the service of our webserver. Because its production environment.

Thank You

2 Likes

Did you copy all of /etc/letsencrypt/ to the new server, or just some of the files?

2 Likes

@_az, Its our HAproxy webserver and we copied the concatenate file of fullchain.pem and privkey.pem files.

So /etc/letsencrypt directory and all the other supporting files/certs inside this directory are not available on new machine.

Please help us.

Thank You

2 Likes

Certbot's autorenewal depends on those other supporting files. You will need to get a new certificate using Certbot, but you can do it without any downtime.

Step 1: Prepare haproxy so that we can use Certbot with it.

Add this backend to your configuration (Certbot will use this port):

backend certbot
  server certbot 127.0.0.1:402

and also add this rule to your frontend, so that Let's Encrypt's validation requests will be forwarded to Certbot:

acl is_letsencrypt_request path_beg /.well-known/acme-challenge/
use_backend certbot if is_letsencrypt_request

Reload haproxy (without restart, no downtime).

Step 2: Create a deploy hook to automatically perform the concatenation and deployment:

You can save this as /etc/letsencrypt/deploy-haproxy.sh :

#!/usr/bin/env bash
set -eu
umask 077
cat "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/privkey.pem" > "$RENEWED_LINEAGE/haproxy.pem"
service haproxy reload

and give it appropriate permissions:

chmod 0755 /etc/letsencrypt/deploy-haproxy.sh

Step 3: Finally, create the certificate:

certbot certonly --standalone --http-01-port 402 \
--deploy-hook /etc/letsencrypt/deploy-haproxy.sh \
-d example.com -d www.example.com

Assuming that succeeds, you can now change your haproxy configuration to use /etc/letsencrypt/live/example.com/haproxy.pem and reload it. Renewals will be done automatically.

This covers all the steps you need to go from nothing to automated haproxy renewals, without causing haproxy downtime. You can make adjustments for your environment where necessary.

4 Likes

@_az, Its worked like a charm.

Thank You for your helping hands.

3 Likes

One small addition to @_az's excellent haproxy instructions. If you're sharing a front end that hosts multiple backend sites with different certs, you can point the bind line to a folder for certs instead of a specific file and it will pick up the appropriate file that matches the host header via SNI. I usually include a "fallback" cert as well in case none of the existing certs have a host header match. So something like this:

frontend https-in
    bind :443 ssl crt /opt/certbot/haproxy/_fallback.pem crt /opt/certbot/haproxy

This just simplifies the haproxy config a tiny bit when adding new sites because you don't have to reference each cert file individually.

4 Likes