What's the best way to NOT break let's encrypt TLS certificates when I need to move a domain to another server with a different IP address?
I'm running a pretty vanilla Debian / Apache root server, so Certbot was the tool of choice to set up these certificates. By that time ACME (v1) API was state of the art. I received a notification mail recently from the let's encrypt staff. It says, in order to perform a proper renewal of my certificate(s) I'll need to switch from the soon deprecated "certbot" package to the "certbot-auto" package because the ACME v2 API will not be compatible with the initial "certbot" version I've been using (1)
Now that I have two tasks to perform I'd like to make sure that I won't run into avoidable problems due to messing up the correct order. Here is my plan which I hope is correct. Your feedback
will be very much appreciated!
Based on the Certbot documentation I'd basically go like this (2) (3)
- Configure ServerNew up to the point when normally I'd change DNS records of the domain
- Copy / mirror everything from ServerOld > ServerNew (which still runs on IP address only)
- Tell the let's encrypt online service this domain / IP combo is no longer valid by...
certbot revoke --domain DOMAIN --cert-path /etc/letsencrypt/live/ PATH/ TO/ DOMAIN_SPECIFIC/ cert.pem --reason superseded Question 1: ...or should I rather go by
--reason cessationofoperation /
--reason unspecified (default)?
- Purge the remnant locally on the old host by...
certbot delete --cert-name DOMAIN.TLD
- Set domain name records to new host's IP address
- When this takes effect, install "certbot-auto" (if not yet done with No. 1) and set up new certificate with the same parameters like I'm accustomed to
Is the above sequence viable, or did I miss something essential?Question 3:
If the list above is(/has been) correct(/ed), is there still the chance that I run into problems nevertheless, just because LE still "knows" my domain and e-mail credentials? Could I circumvent this with