Open retlehs opened 5 years ago
the manual way:
scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com.key /local/path
ssl:
enabled: true
# provider: letsencrypt
provider: manual
cert: /local/path/example.com-bundled.cert
key: /local/path/example.com.key
@retlehs: Thanks for this guide! Though using the commands above to download the existing certs doesn't work straightforward as I get a permission denied error (root
user needed), and scp
doesn't support sudo
.
@strarsis you're welcome, sorry it's just some rough notes haha!
did you get the permission error when using the admin user?
@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl
directory is read-only for root
.
@retlehs: Yes, I get this error also as admin user, because the
/etc/nginx/ssl
directory is read-only forroot
.
Did you find a workaround for this? Switching to root
user might fix it, but then you need enter the root's password?
@Twansparant: For root permissions, one logs in as the admin
user via SSH and use sudo
(for specific commands) (or sudo su
for permanent root
permissions) and, if asked, enter the admin
password (this typical good practice setup, with no root SSH login, and sudoer
admin
user is what Trellis uses).
With these root
permissions one can then list and modify the /etc/nginx/ssl
directory and its contents.
You may also want to ensure that the ownership and permissions are the same after you are done:
-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key
Thanks @strarsis, I figured it out myself already but switching to root user prompted me for the root password so I had to reset that in DO. All good now, thanks for the help!
scenario: you have a trellis site with let's encrypt that's already live and you need to provision a new server
problem: let's encrypt cert issuing will fail since DNS isn't yet pointed to the new server
solution: temporarily copy the let's encrypt certs from the live site and use them on the new server until DNS is updated