Workarounds to install LE prior to DNS change


#1

I attempted to install a Let’s Encrypt (LE) certificate on a host to which I have not yet pointed public DNS (because I’m migrating an existing site to this new host and it is not ready to go live yet). This attempt failed. I understand the reason is that, during Domain Validatation and initial key exchange, the LE Certificate Authority uses public DNS to contact my new host and, of course, gets the existing host instead, and thus not the expected answers.


#2

There are multiple options to work around this problem:

  • Use a DNS-based challenge like DNS-01. This requires you to create a TXT record to demonstrate domain ownership.
  • Redirect validation requests from the old server to the new server for the period of your migration (i.e. a 301 redirect from http://example.com/.well-known/acme-challenge/* to http://new.example.com/.well-known/acme-challenge/*)
  • If your old host already has a working certbot installation, just rsync the existing /etc/letsencrypt directory to your new host, and then test renewal once the migration is complete.

#3

Very good, @pfg. I’ve edited the title and text of my original post to reflect your workarounds. The redirect idea looks particularly nice.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.