Dear Let's Encrypt community
Assume the following situation: Two independant webservers, i.e. each one has its own account an e-mail address in its regr.json configured. Also each one has hosted multiple sites which means that transferring the whole /etc/letsencrypt directory is not an option. Also assume full Linux root access on both servers and both are running the
certbot ACME client. Also important: Both webservers still stay in operation.
The goal: Transferring a single website from A to B. The classic way might be to call
letsencrypt delete --cert-name www.example.com
on the previous server, then update the DNS information for the example.com domain. After waiting 1-2 days (DNS update propagation time!) then running
letsencrypt certonly --standalone -d www.example.com
on the new server and creating the necessary virtual host.
A Google search points to some articleys saying that I just should copy /etc/letsencrypt/live/www.example.com in that case to the new server but this seems to be not an optimal solution.
So the question (consider this as feature request): Special export and import command which export the complete certificate and its renewal configuration one the old server in such a way that the old server automatically deletes this certificate when expired, i.e. not longer processed by the
letsencrypt-auto --no-self-upgrade renew command.
On the other side, a special import command should be created which immediately activates the certificate with a complete configuration. To avoid error messages during the renew process where the DNS update has not been completed yet, a special quarantine time parameter should be implemented which skips the renewal process the first five days after import for example.
Thanks for clarifying how this process should be handled correctly with the current Certbot client (0.31.0 in my case).
I don't get exactly why you can't do that.
certbot (and obtaining new certs) end up with this exact same file structure?
As for version 0.31.0, that is very far from current (1.22.0).
And I'm pretty sure there is no plan to update it specifically.
Thanks for your quick answer.
To understand the situation: Both servers have running several other sites which must stay unchanged. This is the reason why I explicitly ask for the correct transfer process of a single TLS site.
certbot or requesting certificates via
certbot won't change your web server configuration.
[unless you explicitly ask it to do so]
But don't you want both server IPs to respond properly to any https request while your DNS propagates? So, you need certs and server conf on both servers during the transition.
You could just copy over the two cert files (fullchain and privkey) from old server to a temp location in your new server and setup your new server conf to use those two until your old server no longer responds to any requests. You can test connections at new server before DNS change using openssl to connect to IP directly with
-servername option (if openssl 1.1 or later)
Once new server is only active one setup a proper cert request / renew on the new server and update its conf to use these new certs. The last step is to delete the certs and conf from the old server (if that is necessary).
This can be done slowly step-by-step without risking connections to existing server.
Aside: If you control your DNS you could set TTL to very short value now and wait for old TTL value to expire before changing the IP. This minimizes window. Set TTL back after new site proven. But, above is viable anyway and seems less risky than a "hot swap".
Thanks for all your answers.
So when I understand you correctly, the "officially supported" way is first doing a manual copy of the certificate file from the old server to a temporary location and setup the virtual host accordingly. Then the DNS transition can be started.
After the new IP address is fully propagated worldwide on all DNS resolvers, then a
letsencrypt delete must be done together with deleting the virtual host on the old server and a
letsencrypt certonly --standalone -d can be done on the new server. Last step is the change the path in the virtual host's configuration with service restart. So the process is finished.
Can you confirm that way?
There is NO "official supported" way.
Any which way that you can get it to "work" (as you expect it) can be supported.
Some ways may make more sense given the circumstance (and some won't).
We can help you talk though those steps and help inform you, so that you can make the best decision possible.
I think you are overthinking this move.
For instance: You don't want to take any
certbot files form the old system and then are going to renew/reissue those very same certs using
certbot in the new system before they expire.
Absolutely agree. There are a number of good methods for doing this.
And @dreael, if you want to take my suggestion you need to re-read it. You have my description out of sequence. And, you missed a key step to test your new server before switching DNS.
You mean reducing the TTL live time tempoarily?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.