What is the best strategy for a dns change?


currently I have several web apps delivered from an external hoster - there, dehydrated was used to generate ssl certs.

I want to move all those web apps to our internal computer center, where I use Certbot.

Obviously, I do not want a lot of downtime.

What kind of strategy do you propose?

Do I have to copy over the certs?

Can Certbot be forced to directly ask the relevant name server instead of a generic one, so it does not take a lot of time for the updated DNS data to be propagated?

Thank you for any tipps.

You don't need to switch to certbot, you can still use dehydrated for these websites.
The best suggestions I have from my personal experiences is,

  1. copy the whole content (files) and certificate (make sure that existing certificate is valid for at least 2 more days)
  2. double-check there's no problem for site visitors (you might want to temporarily modify your computer's hosts file to confirm before editing your DNS records to push the server change to the public).
  3. If everything is good, modify your DNS records, perform a dry-run a few minutes later (depends on how long your TTL are and how your DNS servers)
  4. If there's anything wrong with dry-run, try to resolve it (you have at least a few days to do so)

That's not coming from certbot, but from Let's Encrypt Validation Servers.
These servers use Unbound, which by default will query your nameservers instead of public DNS endpoints.
Nameservers take time to propergate (since there's more than 1 server behind the same IP) so it's better to wait for a few minutes before actually requesting a dry-run or certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.