I'm migrating servers, moving my sites from VPS A to VPS B. I use Let's Encrypt for all of my 10 website's SSL certificates. Before I start this migration process I need to know issues that I might be running into.
I have used win-acme to create certificates for ALL of my 10 websites on VPS A.
I want to test migrating 1 site, let's call this site X, to VPS B first.
Then after I copied all data for site X from VPS A to VPS B, I want to generate the SSL certificate and change my DNS settings so site X no longer points to VPS A, but to VPS B.
My question is: when I run win-acme on VPS B and generate a new SSL certificate for site X, can I have 2 SSL certificates for the same domain name that were generated for 2 different servers? Or will Let's Encrypt invalidate one of them?
Hopefully my question is clear, any context/further info is highly appreciated!
Already checked here and here.
Let's encrypt uses the ACME protocol the default verification method is based on the server being able to respond to a specific http request (which is only possible if the IP matches).
It is however possible to use DNS certification, win acme has a plugin to do dns verification. I have no experience with win acme, but with certbot DNS verification is automated for some dns providers and requires manual steps for other dns providers.
With DNS verification it's possible that you have a certificate for a domain on multiple servers. With the regular verification it isn't possible.
You could copy the cert to the other server.
Test it by adding you local dns with the new server ip for the domain you have to test.
The copy steps depend on the system you are using.
https://community.letsencrypt.org/t/move-to-another-server/77985
Related
I am trying to use Azure Traffic Manager to load balance traffic between a website hosted on an Azure VM in 2 different regions (Europe and US).
The Azure Traffic Manager is setup happily with the DNS name mywebsite.trafficmanager.net
I have 2 end points setup with dns names mywebsite-uk.uksouth.cloudapp.azure.com and mywebsite-us.westus.cloudapp.azure.com
In order to setup a vanity domain I have a CNAME record pointing to
www.mywebsite.trafficmanager.net
When I go to http://mywebsite.trafficmanager.net or www.mydomain.com I get correctly routed to the closest site.
Unfortunately I am struggling when I try to get HTTPS / SSL working. I am attempting to use Let's Encrypt via the Certify SSL Certificate Management tool to issue an SSL certificate to each of the servers however I am getting the following error:
Validation of the required challengers did not complete successfully. Please ensure all domains to be referenced in the Certificate can be used to access this site without redirection.
I have created bindings in IIS for both mywebsite-uk.mydomain.com and www.mydomain.com, and an A record for mywebsite-uk to the ip of the web server and whenever I request a certificate that includes www.mydomain.com I get the error.
Has anyone got an experience with this type of setup? and more importantly any advice on what I am doing wrong? Would I be better biting the bullet and getting a paid for SSL certificate?
Many thanks in advance,
I need community help to share a ssl https certificate generate with let's encrypt on server to another:
I have 2 web servers on Debian Apache 2.4 (debian jessie) that are accessible behind one ip public address via load balancer (host in a private cloud).
Both sharing the two same web sites (sighno.fr and plateforme.sighno.fr)
Why this ? cause we need HA on this websites, if one server goes down the other is still up to ensure service and connexion.
I have generate auto certificate on the server 1 but i launch the procedure on server 2 let's encrypt tells me that the certificate is already generate (logical!)
How can i make it work on server knowing this certificate is hosted on server1.
Share certificate folder from server 1 to server 2 ?
Where should i change the configuration of let's encrypt on server 2 to make it understand ?
I want to say before someone proposing me this solution that my hoster doesn't want to host the certificate on his load balancer..
Thank you by advance for your help.
I have two domains pointed at one server(IP),
Site A - www.taus.net
Site B - www.tauslabs.com
Site A already has a wildcard SSL installed on the server. Now i need to install a multiple SSL domain for site B.
Can i go ahead and install an extra SSL certificate on a server which already has a wildcard SSL installed for a different domain? Will this affect anything on the server ?
Vinod
A newer technology called SNI allows SSL for different domains to coexist on the same ip address. Older browsers will choke. If that's not a concern, you're in the clear.
https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
Here is my scenario:
default website on IIS 6.0 is already protected by an SSL cert with common names covering the following:
domainname.com
www.domainname.com
I have a new website on the same IIS server and need to protect it with an SSL cert with the following common name:
subdomainname.domainname.com (same domainname as default)
I do not have the freedom to add a new IP address to the server. Not an infrastructure friendly request for whatever reasons.
We also have our Exchange webmail protected by another cert on another server with:
webmail.domainname.com
I do not believe I can use a wildcard cert because exchange is on a different server, correct?
Whether I can or not use a wildcard server, how can I protect the new subdomain on the main IIS server with a new cert? Do I replace the cert on the default with the new common name representing the subdomain web site and the default web site common names. Can I assign the same cert on the same server with all common names needing protection to multiple websites on IIS 6.0?
Thanks for any help in getting this resolved.
You are correct, you would need multiple signed certificates for your servers. Godaddy offers certs for single-servers only, AFAICT. DigiCert offers multi-domain, multi-server certificates. I've never used them, so I can't vouch for anything they offer, but it shows that what you want IS available in the marketplace.
You can get a single cert and use it on multiple servers so long as the DNS entries map out to the correct servers.
Go Daddy offers several cert types and they don't make it clear how to deal with this issue.
Standard (Turbo) SSL 1 domain ~$30
Standard Multiple Domain (UCC) SSL Up to 5 Domains ~$90
Standard (Turbo) Wildcard SSL ~$200
Get the 5 domain cert with
domainname.com
www.domainname.com
subdomainname.domainname.com
webmail.domainname.com
all listed on the one cert. Complete the request on the server you started the request from then use the tools built into the windows servers to copy the cert from one server to another. Doing so doesn't remove it from the first server and adds it to the second.
I did this not too long ago. My Web server is 2008 and the mail server is 2003. In that combination I had to export as a .pfx file and then import the .pfx. If you do it from 2003 to 2003 you may be able to use the copy from another server option and save manually moving the exported file around.
In my case the cert mentions "Certificate Subject Alt Name" with
Not Critical
DNS Name: www.adomain.com
DNS Name: adomain.com
DNS Name: www.adomain.com
DNS Name: mail.adomain.com
Looks like one of those lines is a duplicate but hey it works. I don't know why the cert uses the terminology of "Not Critical" to head that section.
IIS won't let you put two sites on the same IP/port combo but it will let you put the same SSL on two different sites. The secondary site will have to use something other than 443 if you don't have the option of using a different IP address.
I've got an ssl certificate for what I think is my domain and I want to apply it to two separate applications in that domain that run under ASP classic in IIS on Windows 2000.
I have the following stupid questions:
Are certificates issued for URLs or domains? Or subdomains?
Can I use the same cert for multiple websites (applications) within that domain, or do I need a separate one?
Can I inspect the cert file to determine for what or to whom it's issued?
Thanks!
1) Web certs are issued to a domain. Specifically the CN attribute of the certificate must match the domain used to access your site.
2) Certs are usually install per host (or virtual host). If you had cert for the domain wwwapps.domain.tld you could have one app at /calendar, and one app at /contacts.
3) Yes, depending on the format and where it is, this can be easy or hard. If you have a crt file and you are running under windows, just click on it. You should see the details.
If you want to inspect a certificate that is installed on a site, you usually have to click on the padalock icon.
On windows you can also open up the MMC, add the certificate snapin and see any/all installed certificates on the local machine, or your profile.
They are issued for domains. Subdomains require their own certs. You can buy a special wildcard cert for your domain that lets you create certs for your subdomains, but they are more expensive.
If you buy a cert for mydomain.com, you can use it for anything that starts with https://mydomain.com/
Yes. You can do this for any certs. check out the lock icon in your browser's address bar.
It's usually issued to a single web server host (basically a computer cname or a record) like foo.bar.com where foo is one name for the host which the certificate request was generated for and bar.com is its domain.
Thus it will work for any application or virtual directory that responds to https://foo.bar.com - like https://foo.bar.com/planner/ - but nothing more.
For https://*.bar.com you can get a wildcard certificate that lets you handle any number of hosts without any hassel - at a greater cost.
There are also multiple-SAN (UCC) certificates that can contain a specific number of host names in a single certificate like webmail.bar.com and autodiscover.bar.com for an Exchange 2007 server serving both web access and Outlook Anywhere from the same physical machine and NIC.
If it's in .cer format simply opening it in Windows will show the details, if it's a pfx or in some other transport format you'd need to import it.
You basically install the certificate on a Web Site node in IIS and anything you can fit beneath that (or modify using a modern firewall in front of it to still respond to the issued common name foo.bar.com) will work.
Thanks! I enabled port 443 for the site at the domain on the cert, loaded the cert via directory security in IIS for each subfolder, and enabled 128-bit encryption. Worked like a champ!