Server migration. No FTP access. Do I revoke the certificate?


#1

Really quick question: I’m migrating my website and I don’t have FTP access.

What do I do with my existing certificate? Do I need to revoke it? Is there a way to transfer it?

My new hosting provider is Digital Ocean if that matters.

If you can point me to a tutorial or something, I’m happy to follow it.

Thanks,
Gerry


#2

Strictly speaking, when moving from one hosting service to another you’re wise to revoke your previous certificate indeed. How did you obtain and/or install your first certificate? Do you have access to the private key?

If you have HSTS (HTTP Strict Transport Security) set, I’m recommending obtaining a new certificate first somehow, without your previous hoster ever knowing the new private key.
If you didn’t set HSTS, you can fix a working website on your new hoster first and fix a certificate after the migrating stuff is done.

If you could provide more details about your previous hosting situation, that would be helpful.


#3

Thank you for your reply!

Well, here’s the situation: Me and my biz partner are splitting. He used to manage the hosting of both our websites. He installed the certificate.

Now, I need to migrate my website to a new hosting service but he told me to use the WP dashboard and import/export plugins and I don’t have FTP access. So, I can’t exactly copy the old certificate.

If I understand correctly, I’ve got 2 options:

  1. If my previous configuration has HSTS, I can simply install a new certificate on the new website. I’ll simply follow DO’s instructions, install letsencrypt and request a new certificate. Is that right?
  2. If I don’t have HSTS, I can wait for the old certificate to expire and request a new one after migrating the website. Will my visitors get a warning when visiting the website? I’m pretty sure my current website comes with some setting to use SSL because I tried migrating the other day and it immediately started redirecting me to https. If I can turn that off, I can live without a certificate.

All I really care about is the warning and if the website will work. I’m running a blog, so security isn’t a huge concern to my visitors. Right now, I just need it to work, certificate or no certificate.

Thanks again!


#4

HSTS tells web browsers that your non-HTTPS site must never be used. If this was set at the old host, then web browsers (probably yours, but also lots of your visitors) will always try to visit https://example.com not http://example.com regardless of what they type, or what bookmarks they follow. It sounds from your description as if HSTS is set at the old site, although it’s hard to be exactly sure without a bit more technical detail because it could also just be redirecting you “by hand” without HSTS.

Let’s Encrypt will be happy to issue you with a new certificate at any time, no need to wait for the old one to expire (but there are rate limits, so please don’t try to do this every day). It makes sense to ask for one as soon as the new hosting is working. However, if you have HSTS then the unencrypted HTTP site won’t work at all, so it will be especially important to get the HTTPS site working ASAP. Without a valid certificate (and associated private key) the HTTPS site won’t work and there will indeed be a warning. In fact, if HSTS is set, it’s not a warning, it’s a fatal error, many browsers just won’t let the visitor see your site at all until the problem is fixed.

So: If it’s practical get the valid certificate and private key from the old site, you should do this, at least as an interim measure. Otherwise, make sure before you do the transfer that you understand how to get a new Let’s Encrypt certificate at the new location and have it installed for HTTPS, and put both very high on your TODO list once the new host is serving your site instead of the old one. If HSTS is set, and you find you can’t get a valid certificate installed for the new site, you’re going to be “off the air” until you fix that.

Also if you’re a blogger this is a good time for a “heads up” post saying there’s going to be roadworks and for people to please be patient / reach out via some other means until it’s all finished. Happiness is the correct setting of expectations.


#5

Thanks to both of you! That’s incredibly helpful and it’s exactly what I needed to know.

I will get back to you for reissuing my certificate once the website is migrated.

You rock! Stellar support!

P.S.: I found a WP plugin called “Really Simple SSL”. Disabling it removes the HTTPS redirect. So, fingers crossed, there is no HSTS involved. I will do my due diligence anyway.

Cheers,
Gerry


#6

If you don’t have more than one WordPress based personal website (something with magic? :stuck_out_tongue:) , you’re probably safe :wink:

osiris@desktop ~ $ telnet <yoursite> 80
Trying <yoursite'sIPaddress>...
Connected to <yoursite>.
Escape character is '^]'.
GET / HTTP/1.1
Host: <yoursite>

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 26 Aug 2016 20:25:23 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 230
Connection: keep-alive
Location: https://<yoursite>/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://<yoursite>/">here</a>.</p>
</body></html>
Connection closed by foreign host.
osiris@desktop ~ $

No HSTS header to be found. :slight_smile:


#7

lol Thank you! It’s so kind of you to do this check. Yes, all I have is some magic :smiley:

Whew! That’s a relief.


#8

Hi again!

I’m reopening this thread because I have an update.

So, the saga with my certificate continues. I’ve gotten my hosting working and transferred the old domain to the new hosting.

I don’t have the old SSL certificate unfortunately. I don’t want to use the automated letsencrypt installer because it requires a domain name. I suspect it will try to generate a new SSL certificate for me and I’ll end up in a mess.

Could you please re-issue my SSL certificate and let me know the correct way to associate it with my domain and hosting?

Thanks,
Gerry


#9

Hi Gerry,

Do you have your old “private key”? I suspect not, in which case you can’t use the existing cert.

Obtaining a new cert for the domain shouldn’t be a problem, and shouldn’t get you in a mess.


#10

Hi!

Thanks for your reply.

No, I don’t have my old private key but I also don’t want to use my existing certificate. I want a new one.

But I’m not sure what the protocol is here.

Is there anything specific I need to do in this case? Should I ask someone to invalidate my old certificate? Offer proof of domain ownership? Or do I just install letsencrypt like I would on a brand-new website?


#11

just install letsencrypt like you would on a brand-new website


#12

Thanks! I’ll give that a try. :slight_smile:


#13

That’s only possible when you’ve got some sort of private key: either the private key corresponding to the certificate or the private key for your Let’s Encrypt account used to issue the certificate. But seeing your situation with your former business partner, you probably don’t have access to either?


#14

But seeing your situation with your former business partner, you probably
don’t have access to either?

You are correct. I don’t have access to these.


#15

The CA (in this case Let’s Encrypt) is technically obliged to consider requests to revoke a certificate from more or less anybody who can show a good reason. Still, I wouldn’t bother unless you expect the old certificate to be abused to impersonate your site. Allowing it to just quietly expire is fine.


#16

Well, “impersonating” will be quite difficult unless @gerrydimova’s former business partner is some kind of 31337 hacker… But the fact remains: someone who isn’t @gerrydimova has access to the private key and corresponding certificate belonging to a domain of whom @gerrydimova is the “owner”.


#17

Thanks! I don’t expect any kind of malicious acts on my ex-partner’s side. There’s no reason for that to happen. The old certificate expires this November.


#18

Hey guys!

Just wanted to drop by and say a big THANK YOU to everyone who helped me out here :slight_smile:

I installed a new cert successfully and I’m happy to report everything is working properly.

If I can leave you some sort of feedback in public space, let me know. I’d be thrilled to.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.