Migrate to new server - Certificate best pratice


#1

Hi all,

My currently miab is running perfectly (version v0.26c) but the VPS is running out of space, so I need to migrate to a new server/VPS.

I have installed a new server and run the backup to the new server, and done a restore, so all the data is there and working fine, but the certificate is of course not correct any more since the IP of the server has changed, so I am looking for a way to get a new certificate without having all the users needing getting certificate errors on the new server.

The certificate I am using is a comodo signed certificate, but I do not mind if that is replaced with a let’s encrypt version.

Thanks in advance.
Kim


#2

With MIAB I’ve noticed it’s just easier to use Let’s Encrypt. It’s the same algorithm as comodo uses (if you are using their most popular package) and LE doesn’t cost you anything, it will auto renew every 3 months thanks to @JoshData’s hard work on the scripts he is providing.

I’ve been using LE for the last 2 years and never had issue, especially with the updates LE has been doing over the last few months (Wildcard certs). I’d recommend LE with MIAB, it’s built in to the admin panel


#3

Hi murgero,

Thank you for your feedback.
Do you have any idea how to replace the comodo certificate with a LE cert ?

Thanks
Kim


#4

See Pic below.

If you are hosting the site else where: https://certbot.eff.org/


#5

The problem is that that feature does not work, it throws the “Unknown Error Occured” :wink:


#6

D’oh! Of course please Private Message(Click my name, then select Message in top right.) and send me the following information:

Replicate the error by trying to replace the certificate and then send the following output of the following command:

tail -n 100 /var/log/syslog


#7

When I press the Replace Certificatethe cursor just changes focus to the CSR page of the page, and there is no entry in the syslog


#8

Hi murgero,

Do you have any other ideas how I can replace a commercial certificate with LE ?

Thanks in advance.

/Kim


#9

There is a python script in ~/mailinabox/tools that can provision LE certs for you.


#10

That sounds perfect, which one of these is it ?
editconf.py
mail.py
parse-nginx-log-bootstrap-accesses.py
readable_bash.py
update-subresource-integrity.py

/Kim


#11

err sorry it would be under the “setup” folder and then ssl.sh :confused: I am not in front of my server so make sure to confirm before running what it does


#12

No worries :wink:

If I look at the content of the ssl.sh then the first comment is
----snip----
Create an RSA private key, a self-signed SSL certificate, and some
Diffie-Hellman cipher bits, if they have not yet been created.
----snip----

So how will this help me replace my comodo certificate ?
I am sorry if I am missing the point here :wink:

Thanks
Kim


#13

It’s

management/ssl_certificates.py

FWIW, the IP address of the server doesn’t matter - the old certificates should continue to work wherever they are placed.


#14

Yea sorry I am not in front of my server to double check paths, @JoshData’s answer is correct though.


#15

Thanks Josh, so just to clarify, even if the certificate is copied (part of the backup/restore to the new server) and the certificate is a commercial certificate ?
Second question, is it possible to just delete the commercial certificate, and use LE instead ?

Thanks in advance.


#16

Sorry for the delay. I was on vacation.

even if the certificate is copied (part of the backup/restore to the new server) and the certificate is a commercial certificate ?

Yes. The only thing that really matters is that the certificate and the private key go together. If they’re together, any certificate will work.

is it possible to just delete the commercial certificate, and use LE instead ?

You can delete the appropriate files in /home/user-data/ssl but off hand I’m not sure how you’d know what to delete. Then you can issue new certificates by running the command above again.


#17

Sorry for my delay…

Got it, thank you, it’s appreciated.