SSL migration tool

[retlehs]

scenario: you have a trellis site with let's encrypt that's already live and you need to provision a new server

problem: let's encrypt cert issuing will fail since DNS isn't yet pointed to the new server

solution: temporarily copy the let's encrypt certs from the live site and use them on the new server until DNS is updated

[retlehs]

the manual way:

scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

ssl:
  enabled: true
  # provider: letsencrypt
  provider: manual
  cert: /local/path/example.com-bundled.cert
  key: /local/path/example.com.key

[strarsis]

@retlehs: Thanks for this guide! Though using the commands above to download the existing certs doesn't work straightforward as I get a permission denied error (root user needed), and scp doesn't support sudo.

[retlehs]

@strarsis you're welcome, sorry it's just some rough notes haha!

did you get the permission error when using the admin user?

[strarsis]

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

[Twansparant]

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

Did you find a workaround for this? Switching to root user might fix it, but then you need enter the root's password?

[strarsis]

@Twansparant: For root permissions, one logs in as the admin user via SSH and use sudo (for specific commands) (or sudo su for permanent root permissions) and, if asked, enter the admin password (this typical good practice setup, with no root SSH login, and sudoer admin user is what Trellis uses).
With these root permissions one can then list and modify the /etc/nginx/ssl directory and its contents.
You may also want to ensure that the ownership and permissions are the same after you are done:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key

[Twansparant]

Thanks @strarsis, I figured it out myself already but switching to root user prompted me for the root password so I had to reset that in DO. All good now, thanks for the help!

[retlehs]

Ref https://discourse.roots.io/t/deploying-a-trellis-site-with-ssl-certificates-prior-to-dns-records-being-in-place/24201/9