Enabling existing letsencrypt certificates in a domain Topic is solved

General questions about VestaCP
natabril
Posts: 4
Joined: Fri Oct 28, 2016 4:54 pm

Enabling existing letsencrypt certificates in a domain

Postby natabril » Sat Aug 05, 2017 8:26 pm

Firstly, thanks to the team that has made possible an incredible control panel

I have a VPS with domain “example.com”, with letsencrypt certificates already installed and working without problems.
Now I have created in another VPS the same domain, “example.com”, to perform different tasks.
All is working well.
The question is: how do I install the letsencrypt certificates (which I already have from the first server)
on the new server?
Where should I put them and what settings do I have to modify?

I am using debian 8 and the latest version of vesta with template nginx->apache. If I try to create new certificates for the domain, in the new server, with the GUI or with CLI, I always get an error (maybe because the certificate for that domain has already been issued and it is valid) so I only want to install the certificates that I already have for that domain.

Thanks for your help

dimitrivisser
Posts: 8
Joined: Sun Aug 13, 2017 12:38 am

Re: Enabling existing letsencrypt certificates in a domain

Postby dimitrivisser » Sun Aug 13, 2017 1:02 am

You cannot use the exact same domain on 2 vps'es. How can you say "All is working well" ?

In the DNS a domain has an IP. This is the IP of the VPS. When you use that domain it points to 1 VPS. You cannot point 1 domain with 1 IP to 2 VPS'es.

Letsencrypt will issue a certificate to the VPS having the IP of the domain. It will not give certificates to the same domain on an unknown strange and maybe malicious IP.

You can do 2 things... Change the DNS of the domain so the IP will point to your second VPS. Letsencrypt will issue a new certificate to the domain on the new VPS. Probably the certificate on the first VPS will stop working.

The second thing you can do is make a subdomain of your domain. In the DNS of the domain you will point the subdomain to your new VPS. In that case Letsencrypt will give a certificate to that subdomain without problems.

natabril
Posts: 4
Joined: Fri Oct 28, 2016 4:54 pm

Re: Enabling existing letsencrypt certificates in a domain

Postby natabril » Sun Aug 13, 2017 2:35 pm

Thanks for your reply:
I am using cloudflare as my DNS. Both VPS are clones one of another, so, for use one or the other I only change the IP in cloudflare. That's why I say "all is working well". The first VPS uses the certified letsencrypt without problems, but the second one (when enabled in cloudflare) does not accept the original certificate or allow me to create a new one.
My confusion comes from the fact that you have made clear. Letsencrypt issues the certificate for a domain associated with an IP.
My belief, erroneous, was that it is issued for a domain, regardless of the server that contains it.
Again, thanks for your answer.

natabril
Posts: 4
Joined: Fri Oct 28, 2016 4:54 pm

Re: Enabling existing letsencrypt certificates in a domain

Postby natabril » Mon Aug 14, 2017 6:05 pm

Just to avoid confusion in possible readers of this thread:
I consulted directly in Letsencrypt forum and I got this answer:

schoenCertbot engineer / EFF1h
Hi @natabril,

Yes, you can do this and it will work correctly.

One thing to keep in mind is that Let’s Encrypt certificates expire after 90 days. We recommend setting up some kind of automation (for example, with cron) to renew certificates automatically. If you do this, you will also want to find a way to automate the process of deploying the new certificate on the other server.

Certificates in the web PKI can be used on any number of servers, without regard to whether they have the same or different IP address, and also multiple certificates covering the same domain name(s) can coexist and be valid concurrently.

plutocrat
Posts: 60
Joined: Fri Jan 27, 2017 9:16 am

Re: Enabling existing letsencrypt certificates in a domain

Postby plutocrat » Wed Aug 16, 2017 7:24 am

For initial setup, I'd set up the first server, point DNS for the domain to that server and run Lets Encrypt.
Then I'd point DNS for the domain for the second server at the box and run Lets Encrypt again.
Then I'd point it back to the first.
Both servers would now be working with SSL, with the correct certificate structure set up on both.
Then run a cron job to sync the certs from the live box to the non-live box once a week. The non-live box will never have to renew the certs, although you might get a few errors when it tries.

Another way of doing this might be to take a backup from the live box and then restore it on the non-live box. Then delete the domains and databases etc that you don't need.

dimitrivisser
Posts: 8
Joined: Sun Aug 13, 2017 12:38 am

Re: Enabling existing letsencrypt certificates in a domain  Topic is solved

Postby dimitrivisser » Fri Aug 18, 2017 11:26 am

natabril wrote:Thanks for your reply:
I am using cloudflare as my DNS.


If you use Cloudflare you can also use their full page caching. Than Cloudflare takes care of the SSL part. Somewhere in settings -> crypto you can choose for flexible, full, full strict SSL. You can even disable SSL on your own servers completely, or use a self generated SSL certificate for the connection between your VPS and Cloudflare. For the outside world Cloudflare will show a valid SSL sertificate.

natabril
Posts: 4
Joined: Fri Oct 28, 2016 4:54 pm

Re: Enabling existing letsencrypt certificates in a domain

Postby natabril » Fri Aug 18, 2017 4:04 pm

Thank you all for your contribution.
I will use the "origin" certificate that provides cloudflare to encrypt the section between their server and the VPS.
There is a very clear description of the process in this topic.
Https://forum.vestacp.com/viewtopic.php?t=13810
Is in Russian but Google translator makes it accessible.


Return to “General Discussion”



Who is online

Users browsing this forum: dsystem and 10 guests