Site moving, need certificate for new host before it visible

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: democracy.york.gov.uk

I ran this command:

It produced this output:

My web server is (include version): windows 2016 iis

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme 2

so, to clarify. New copy of site neds to have TLS set up to be tested, but existing copy of site (different server) has the DNS entry, so cannot do conventional setup. Trying to find a mechanism to let me create the certificate, but ???

I am considering that setting up a single site cert on the existing site (it uses a SAN one at present) and then exporting it over would maybe work.

Hi @Goatie

checking your domain via https://check-your-website.server-daten.de/?q=democracy.york.gov.uk you have already a certificate:

CN=democracy.york.gov.uk
	08.10.2019
	06.01.2020
expires in 47 days	democracy.york.gov.uk, 
elicensing.york.gov.uk, tfweb.york.gov.uk, yorklearning-wordpress.york.gov.uk - 4 entries

You can copy the private and the public key and you can use the same certificate with two servers.

Later, change your dns A/AAAA record.

Assuming the name will remain the same: Just take a copy of the existing cert and also use it on the new system.
If that is not possible (cert expiring very soon, no way to export/import files from one system to the other):[both of which seem highly unlikely]
You could always try manually issuing a cert via DNS authentication.
[this would buy you 90 days of rest - well 89]

Already tried that but the other sites on the new server get upset by the SAN one.

I’ll try the DNS option.

Can you show the error?

Then your configuration of your new server is wrong.

But that's not a certificate creation problem. So you will have the same problem with a new created certificate.

If it’s a NEW server…
How are there any sites there to get upset by this SAN cert?

[sorry have to re-reply - ran out of edits]
…continued…
All certs should only be applied to the sites named in the SAN of the cert.
Assuming you have other sites, they should have their own certs (already) or NOT be using TLS at all.

Right. SOme confusion here. I’ve put the SAN one back in and can’t make it throw the error. I didn’t bother checking it at the time, but the business users were complaining about something.
The other site using a certificate has a single site one, and to be honest I didn’t apply the temp one myself.

Progress is progress.
Take what you can get!

Interesting. Windows 2012r2 mucks the config file up if you manually apply a SAN certificate. Windows 2016 seems to pick a random victim site in its configuration and rewrite that one’s bound certificate.

I’ll see what happens when the single site one is applied, in a couple of months

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.