How to handle SSL, Lets Encrypt when moving hosting

Situation

  • My domain tim.hithlonde.com has my blog on it. It lives on shared dreamhost hosting. i use DH’s Lets Encrypt tool to keep the cert working there.
  • My new web content engine (+ WP content import) lives at topica.citracode.com. It is on a Linode server. It does not have a cert.

Want

  • I want to move my tim.hithlonde.com domain to point to the linode server. (This is DNS A record change, I know how to do this part.)
  • I want to do it in such a way that as i change the domain over, the site on the linode server already has the cert, so there wouldn’t be any time where user could only access the new site via just http.
  • Since I’ve never set up a cert myself before, I’d like to have it all done and working before the move.

Thoughts

  • Is this a big deal to be concerned about?
  • Should I just move A record and then get cert up?

Halp

  • I haven’t done any kind of ssl setup before by myself.
  • the new site is running in nginx, so there is a “get ssl working on nginx” component to this.
1 Like

You know someone knows what they don’t know, when their question looks like the TOC of a multi-page tutorial! :slight_smile:

Will your WordPress site continue to exist, or are you redirecting one domain to another?

This portion is ensuring nginx reloads when the cert is renewed, and of course pointing to where the certs are saved. But that is fairly standard, and really the an initial edit and done. It is likely a cron job. For mage party here is how we load the certs for prosody, taking from that homebrewserver tutorial:

0 4 0 * 0  /usr/bin/certbot renew --renew-hook "prosodyctl --root cert import /etc/letsencrypt/live" --quiet

Something similar for nginx will work. :slight_smile:

Getting a new cert is a 30 second process. If you set your DNS up (like using a “liveDNS” service or having a low TTL), you’ll be able to move it over with about 5 minutes downtime, at most. But don’t trip, your site ain’t that important to the web. It could disappear for a whole 10 minutes without anyone calling the authorities. :slight_smile:

Keep in mind, Let’s Encrypt’s model is literally: can you prove you control domain? Okay, you get a cert!

Another query that I’m not sure I’ve handled myself is running the renewal for multiple domains. I think it probably still works, but can you put them all in on pem and reference them that way? Hmmm. :thinking:

Also, in case you are planning to redirect from hitlonde to citracode, I actually recommend leaving hithlonde resolving to DreamHost. If that’s the case, let me know!

1 Like

Oh, the terminology here is tricky for me. Ok.

  • the hithlonde.com domain is registered via Dreamhost, and is managed there
  • tim.hithlonde.com currently points to their shared hosting
  • I am going to change the A record to point tim.hithlonde.com to the IP of my new linode server, to serve up my new site.
  • As soon as I know it’s good, I will be deleting everything related to tim.hithlonde.com from my Dreamhost shared hosting.
  • I will keep the domain registration + DNS + management of the domain with Dreamhost.

I’ll check out that homebrewserver tutorial to check that out. Looks like certbot is the magic thing to use. :slight_smile:

Also…

This is maybe the nicest thing anyone has ever said to me, in the technical sphere. :smiley:

That’s a sound plan. To DreamHost’s credit, they make LE really carefree: press a button, done. Fortunately, once you remember how certs work, certbot makes sense. :slight_smile:

Just wanna say I recently moved from one VPS to another and did exactly this with little pain. The only thing I noticed was certbot gave me some shorter expiration dates than I expected on some domains/subdomains (possibly in sync with the old cert expirations?).

The "renew"command on certbot with no other options defaults to renewing/checking all domains your local instance of certbot knows about. Not sure how long it’s been that way, I tripped across it recently when setting up my new chron jobs on my domains.

https://certbot.eff.org/docs/using.html#renewing-certificates

2 Likes

Thanks everyone for your help!

I did it.

https://tim.hithlonde.com

:smiley:

2 Likes