Let's encrypt SSL certificate for new server
my domain example.com is currently pointing to a server with an alphassl certificate. I want to point this domain to my new server (by changing the nameservers) without any timeout of https. So I want to install the let's encrypt ssl certificate for example.com on the new server before. Is this possible? How?
Solution 1:
Yes, it should actually be quite easy to do what you're asking. You can certainly have different SSL certificates issues for the same domain, from different Certificate Authorities. The fact that you are also spinning up a new server makes it especially easy.
Here's the workflow:
- Move your existing server certificates and keys to the new server.
- Test the new server by associating its IP address with your domain in the
hosts
file on a local laptop or desktop, and visiting the site. - When you're ready to switch, point your DNS records to the new server. As the new DNS records propagate, some clients will begin to use your new server. Logged-in clients will need to re-authenticate the first time they connect to the new server, as it won't have their session information from their connections to the old server. This should only happen once.
- Wait sufficient time for the DNS changes to propagate throughout the Internet. 2 days is probably the minimum; a month or more should ensure that any cached DNS entries will likely have expired on all clients.
- Meanwhile, request new certificates for your domain from Let's Encrypt on the new server. If that works, replace the existing certificates and keys on the new server.
- Check the old server's logs to verify it is no longer being used to serve client requests.
- Deprovision the old server.
I'd recommend configuring the Lets' Encrypt client to only request the new certificates, and then install them yourself. That way there is less of a change for failure. Alternately, test the certificate issuance and installation process on the new server before it is in production use by requesting certs for a subdomain or second domain that you can point at the new server.
If requiring clients to re-authenticate once is truly unacceptable, there might be a way of copying over session data from the old server to the new one. That would require some further research, and depends on how your web application(s) store session information.