Strictly speaking, when moving from one hosting service to another you’re wise to revoke your previous certificate indeed. How did you obtain and/or install your first certificate? Do you have access to the private key?
If you have HSTS (HTTP Strict Transport Security) set, I’m recommending obtaining a new certificate first somehow, without your previous hoster ever knowing the new private key.
If you didn’t set HSTS, you can fix a working website on your new hoster first and fix a certificate after the migrating stuff is done.
If you could provide more details about your previous hosting situation, that would be helpful.
Well, here’s the situation: Me and my biz partner are splitting. He used to manage the hosting of both our websites. He installed the certificate.
Now, I need to migrate my website to a new hosting service but he told me to use the WP dashboard and import/export plugins and I don’t have FTP access. So, I can’t exactly copy the old certificate.
If I understand correctly, I’ve got 2 options:
If my previous configuration has HSTS, I can simply install a new certificate on the new website. I’ll simply follow DO’s instructions, install letsencrypt and request a new certificate. Is that right?
If I don’t have HSTS, I can wait for the old certificate to expire and request a new one after migrating the website. Will my visitors get a warning when visiting the website? I’m pretty sure my current website comes with some setting to use SSL because I tried migrating the other day and it immediately started redirecting me to https. If I can turn that off, I can live without a certificate.
All I really care about is the warning and if the website will work. I’m running a blog, so security isn’t a huge concern to my visitors. Right now, I just need it to work, certificate or no certificate.
HSTS tells web browsers that your non-HTTPS site must never be used. If this was set at the old host, then web browsers (probably yours, but also lots of your visitors) will always try to visit https://example.com not http://example.com regardless of what they type, or what bookmarks they follow. It sounds from your description as if HSTS is set at the old site, although it’s hard to be exactly sure without a bit more technical detail because it could also just be redirecting you “by hand” without HSTS.
Let’s Encrypt will be happy to issue you with a new certificate at any time, no need to wait for the old one to expire (but there are rate limits, so please don’t try to do this every day). It makes sense to ask for one as soon as the new hosting is working. However, if you have HSTS then the unencrypted HTTP site won’t work at all, so it will be especially important to get the HTTPS site working ASAP. Without a valid certificate (and associated private key) the HTTPS site won’t work and there will indeed be a warning. In fact, if HSTS is set, it’s not a warning, it’s a fatal error, many browsers just won’t let the visitor see your site at all until the problem is fixed.
So: If it’s practical get the valid certificate and private key from the old site, you should do this, at least as an interim measure. Otherwise, make sure before you do the transfer that you understand how to get a new Let’s Encrypt certificate at the new location and have it installed for HTTPS, and put both very high on your TODO list once the new host is serving your site instead of the old one. If HSTS is set, and you find you can’t get a valid certificate installed for the new site, you’re going to be “off the air” until you fix that.
Also if you’re a blogger this is a good time for a “heads up” post saying there’s going to be roadworks and for people to please be patient / reach out via some other means until it’s all finished. Happiness is the correct setting of expectations.
Thanks to both of you! That’s incredibly helpful and it’s exactly what I needed to know.
I will get back to you for reissuing my certificate once the website is migrated.
You rock! Stellar support!
P.S.: I found a WP plugin called “Really Simple SSL”. Disabling it removes the HTTPS redirect. So, fingers crossed, there is no HSTS involved. I will do my due diligence anyway.
I’m reopening this thread because I have an update.
So, the saga with my certificate continues. I’ve gotten my hosting working and transferred the old domain to the new hosting.
I don’t have the old SSL certificate unfortunately. I don’t want to use the automated letsencrypt installer because it requires a domain name. I suspect it will try to generate a new SSL certificate for me and I’ll end up in a mess.
Could you please re-issue my SSL certificate and let me know the correct way to associate it with my domain and hosting?
No, I don’t have my old private key but I also don’t want to use my existing certificate. I want a new one.
But I’m not sure what the protocol is here.
Is there anything specific I need to do in this case? Should I ask someone to invalidate my old certificate? Offer proof of domain ownership? Or do I just install letsencrypt like I would on a brand-new website?
That's only possible when you've got some sort of private key: either the private key corresponding to the certificate or the private key for your Let's Encrypt account used to issue the certificate. But seeing your situation with your former business partner, you probably don't have access to either?
The CA (in this case Let’s Encrypt) is technically obliged to consider requests to revoke a certificate from more or less anybody who can show a good reason. Still, I wouldn’t bother unless you expect the old certificate to be abused to impersonate your site. Allowing it to just quietly expire is fine.
Well, "impersonating" will be quite difficult unless @gerrydimova's former business partner is some kind of 31337 hacker.. But the fact remains: someone who isn't @gerrydimova has access to the private key and corresponding certificate belonging to a domain of whom @gerrydimova is the "owner".
Thanks! I don’t expect any kind of malicious acts on my ex-partner’s side. There’s no reason for that to happen. The old certificate expires this November.