1

I have an ubuntu bionic server on which I set up ssl with my own domain name by following this guide.

I would now like to decommission this server and move the ssl domain name to a different ubuntu server. I am wondering what is the "correct" way to do this?

  • Do I need to "turn off" ssl on the original server first?
  • Can I just run the certbot scripts on the new server exactly the same way I did on the original server?
  • If yes, does this automatically "turn off" the ssl of the first server? Is it possible to have multiple servers with valid ssl certs at the same time?

Thanks!

Jim
  • 113
  • 4

1 Answers1

1

The only way to turn off the certificate on the 1st server is to revoke it.

Whether you revoke it, or simply delete the certificate's private key is up to you. To be more precise, you should read the Let's Encrypt Subscriber Agreement - specifically the section on Revocation. If you decipher misleading to mean that you shouldn't have a certificate for your FQDN unless it's used for that name, then you are obliged (or so Let's Encrypt believe) to revoke.

If you delete or revoke, you will not be able to use the certificate afterwards. The difference is that if you delete, you know that nobody can use the private key and certificate, but your relying parties (clients) don't know this. If you revoke, they are made aware that the original certificate is not to be trusted any more. You can, of course, revoke then delete.

You can request a certificate on the 2nd server using the original command as long as the server is configured the same as the original, including DNS pointing to the new server.

Requesting a replacement certificate doesn't revoke the original, so you will end up with two valid certificates for the same FQDN for up to three months, until the 1st expires; unless you revoke.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101