trellis-cli icon indicating copy to clipboard operation
trellis-cli copied to clipboard
verified publisher icon roots

SSL migration tool

Open retlehs opened this issue 7 years ago • 8 comments

scenario: you have a trellis site with let's encrypt that's already live and you need to provision a new server

problem: let's encrypt cert issuing will fail since DNS isn't yet pointed to the new server

solution: temporarily copy the let's encrypt certs from the live site and use them on the new server until DNS is updated

retlehs avatar Jan 17 '19 23:01 retlehs

the manual way:

scp [email protected]:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp [email protected]:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

ssl:
  enabled: true
  # provider: letsencrypt
  provider: manual
  cert: /local/path/example.com-bundled.cert
  key: /local/path/example.com.key

retlehs avatar Jan 19 '19 19:01 retlehs

@retlehs: Thanks for this guide! Though using the commands above to download the existing certs doesn't work straightforward as I get a permission denied error (root user needed), and scp doesn't support sudo.

strarsis avatar Jul 25 '21 17:07 strarsis

@strarsis you're welcome, sorry it's just some rough notes haha!

did you get the permission error when using the admin user?

retlehs avatar Jul 25 '21 20:07 retlehs

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

strarsis avatar Jul 25 '21 21:07 strarsis

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

Did you find a workaround for this? Switching to root user might fix it, but then you need enter the root's password?

Twansparant avatar Nov 14 '22 13:11 Twansparant

@Twansparant: For root permissions, one logs in as the admin user via SSH and use sudo (for specific commands) (or sudo su for permanent root permissions) and, if asked, enter the admin password (this typical good practice setup, with no root SSH login, and sudoer admin user is what Trellis uses). With these root permissions one can then list and modify the /etc/nginx/ssl directory and its contents. You may also want to ensure that the ownership and permissions are the same after you are done:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key

strarsis avatar Nov 14 '22 14:11 strarsis

Thanks @strarsis, I figured it out myself already but switching to root user prompted me for the root password so I had to reset that in DO. All good now, thanks for the help!

Twansparant avatar Nov 14 '22 19:11 Twansparant

Ref https://discourse.roots.io/t/deploying-a-trellis-site-with-ssl-certificates-prior-to-dns-records-being-in-place/24201/9

retlehs avatar May 01 '24 13:05 retlehs