Looking to migrate Nginx and LetsEncrypt
-
My Nginx reverse proxy server was setup on CentOS back in 2014. A couple years ago, I added LE.
Everything runs great, but I am wanting to move it to Fedora.
Moving Nginx is simple. I grab the config files from
/etc/nginx/conf.dand done.But I am not sure how to move LE. Google results are mixed.
I can, of course, just reissue certs. But that willleave me with a ton of expiring cert emails in about 60 days to just annoy the fuck out of me.Has anyone seen good instructions for this?
-
This looks promising.
https://community.letsencrypt.org/t/moving-and-merging-certs-from-server-a-to-b/19015
-
Could you temporary use Cloudflare SSL to avoid the expiring certs emails?
-
@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:
My Nginx reverse proxy server was setup on CentOS back in 2014. A couple years ago, I added LE.
Everything runs great, but I am wanting to move it to Fedora.
Moving Nginx is simple. I grab the config files from
/etc/nginx/conf.dand done.But I am not sure how to move LE. Google results are mixed.
I can, of course, just reissue certs. But that willleave me with a ton of expiring cert emails in about 60 days to just annoy the fuck out of me.Has anyone seen good instructions for this?
Email filters do wonders for annoying as fuck emails. . .
-
Why won't importing the existing certs to the new server work?
-
@obsolesce said in Looking to migrate Nginx and LetsEncrypt:
Why won't importing the existing certs to the new server work?
I could easily copy the pem files over. but that doesn't do jack shit for the cert process.
-
@black3dynamite said in Looking to migrate Nginx and LetsEncrypt:
This looks promising.
https://community.letsencrypt.org/t/moving-and-merging-certs-from-server-a-to-b/19015
read that, but it seemed oddly unspecific coming from a dev. But, meh, it was the best thing I found.
-
@black3dynamite said in Looking to migrate Nginx and LetsEncrypt:
Could you temporary use Cloudflare SSL to avoid the expiring certs emails?
No, because the emails come from LE.
-
@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:
@black3dynamite said in Looking to migrate Nginx and LetsEncrypt:
This looks promising.
https://community.letsencrypt.org/t/moving-and-merging-certs-from-server-a-to-b/19015read that, but it seemed oddly unspecific coming from a dev. But, meh, it was the best thing I found.
That's nice, but was 2 years ago and still no actual "migration" method or documentation?
-
@JaredBusch Any update on this? What did you end up doing, if anything? Thanks
-
@bnrstnr said in Looking to migrate Nginx and LetsEncrypt:
@JaredBusch Any update on this? What did you end up doing, if anything? Thanks
I did not get to it over the weekend due to a lack of Air Conditioning in our house. Ain't nobody got time for working in 95+ temperatures. I hope to get to it this weekend.
-
Don't you have to update the certs every 3 months regardless? Don't you get the renewal 30 days before expiry regardless? Unless your current installed LE certs will never expire, what is the point of this? Delaying some bot generated emails a few days?
-
@momurda said in Looking to migrate Nginx and LetsEncrypt:
Don't you have to update the certs every 3 months regardless? Don't you get the renewal 30 days before expiry regardless? Unless your current installed LE certs will never expire, what is the point of this? Delaying some bot generated emails a few days?
Because I renew the certs daily with certbot.
It automatically renews at 30 days out. I never see renew emails.
-
@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:
@black3dynamite said in Looking to migrate Nginx and LetsEncrypt:
Could you temporary use Cloudflare SSL to avoid the expiring certs emails?
No, because the emails come from LE.
I think he meant use the Cloudflare certs because they have multi year expiration.
-
Oh wait. Do you mean that if you or then on a new server the emails will come because the old one is expiring? Or you just don't want new expiration notifications?
-
If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet.
-
@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:
If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet.
No. It is handled on the cert serial number level.
-
@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:
@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:
If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet.
No. It is handled on the cert serial number level.
Ah ok.
-
@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:
@jaredbusch said in Looking to migrate Nginx and LetsEncrypt:
@stacksofplates said in Looking to migrate Nginx and LetsEncrypt:
If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet.
No. It is handled on the cert serial number level.
Ah ok.
I've moved things in the past by simply reissuing on the new server, and dealing with the expiring certs is an annoyance.
