My domain is: domain.com
I ran this command:
It produced this output:
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): Debian 10
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot):
Apologies if this is an FAQ, I couldn’t find much about it in the docs or FAQ or here on the forums.
I am in the process of migrating domain.com from old server A to new server B, at a new hosting provider. Old server A has SSL certificates for domain.com, but not through Let’s Encrypt. I am switching to Let’s Encrypt on new server B.
On new server B, I first set up a staging site and generated a new LE cert for it:
certbot --apache -d staging.domain.com -d host2.domain.com
This worked fine, and I have been testing and using that site for weeks. Later, as the actual move gets closer, I created a new certificate for www and non-www versions of the domain. Since www and non-www are still live at old server A, I can’t use the
http challenge method, so I used
dns instead. This also worked fine - I added the TXT DNS records, and by editing my
/etc/hosts I can fool my browser into visiting new site B to test, and the new certs work fine:
certbot certonly --manual --preferred-challenges=dns -d domain.com -d www.domain.com
(and yes I want to keep the certs for staging and www/non-www separate).
All good so far. Now I want to understand how the automated renewals will work. Debian 10 is systemd and though I am new to systemd I can see the various unit files and timers etc, and I can see from
/var/log/letsencrypt that it is running fine.
Question 1) From what I understand, the cert I created for staging will auto-renew just fine, because I used the
certbotshould both update the cert, and restart Apache for it to take effect. Is that correct?
Question 2) When I first ran
certbotfor the staging site, it modified my vhost config files and added the SSL-related config. While I haven’t changed those SSL-related lines, I have made significant other changes to those vhost files, including merging 80/443 configs into a single file, etc. Will
certbot renewattempt to modify those vhost files again during renewal, or will it see the SSL-related lines unchanged and therefore leave them alone?
Question 3) My understanding is that bcs I used
dnsfor the www and non-www domain certificate, the auto-renewal of those won’t work. I’ve seen suggestions to switch to the
apacheplugin to make the renewal simpler. I can’t do that until I’ve updated the DNS and actually switched from old server A to new server B of course. But how would I do actually that? The docs discourage modifying the renewal config file (
/etc/letsencrypt/renewal/domain.com.conf). So how do I switch renewals from using my original