My domain tim.hithlonde.com has my blog on it. It lives on shared dreamhost hosting. i use DH’s Lets Encrypt tool to keep the cert working there.
My new web content engine (+ WP content import) lives at topica.citracode.com. It is on a Linode server. It does not have a cert.
I want to move my tim.hithlonde.com domain to point to the linode server. (This is DNS A record change, I know how to do this part.)
I want to do it in such a way that as i change the domain over, the site on the linode server already has the cert, so there wouldn’t be any time where user could only access the new site via just http.
Since I’ve never set up a cert myself before, I’d like to have it all done and working before the move.
Is this a big deal to be concerned about?
Should I just move A record and then get cert up?
I haven’t done any kind of ssl setup before by myself.
the new site is running in nginx, so there is a “get ssl working on nginx” component to this.
You know someone knows what they don’t know, when their question looks like the TOC of a multi-page tutorial!
Will your WordPress site continue to exist, or are you redirecting one domain to another?
This portion is ensuring nginx reloads when the cert is renewed, and of course pointing to where the certs are saved. But that is fairly standard, and really the an initial edit and done. It is likely a cron job. For #mage-party here is how we load the certs for prosody, taking from that homebrewserver tutorial:
Getting a new cert is a 30 second process. If you set your DNS up (like using a “liveDNS” service or having a low TTL), you’ll be able to move it over with about 5 minutes downtime, at most. But don’t trip, your site ain’t that important to the web. It could disappear for a whole 10 minutes without anyone calling the authorities.
Keep in mind, Let’s Encrypt’s model is literally: can you prove you control domain? Okay, you get a cert!
Another query that I’m not sure I’ve handled myself is running the renewal for multiple domains. I think it probably still works, but can you put them all in on pem and reference them that way? Hmmm.
Also, in case you are planning to redirect from hitlonde to citracode, I actually recommend leaving hithlonde resolving to DreamHost. If that’s the case, let me know!
Just wanna say I recently moved from one VPS to another and did exactly this with little pain. The only thing I noticed was certbot gave me some shorter expiration dates than I expected on some domains/subdomains (possibly in sync with the old cert expirations?).
The "renew"command on certbot with no other options defaults to renewing/checking all domains your local instance of certbot knows about. Not sure how long it’s been that way, I tripped across it recently when setting up my new chron jobs on my domains.