SSL migration tool - Githubissues

roots / trellis-cli

A CLI to manage Trellis projects

https://roots.io/trellis/

MIT License

164 stars 24 forks source link

SSL migration tool #10

Open retlehs opened 5 years ago

retlehs commented 5 years ago

scenario: you have a trellis site with let's encrypt that's already live and you need to provision a new server

problem: let's encrypt cert issuing will fail since DNS isn't yet pointed to the new server

solution: temporarily copy the let's encrypt certs from the live site and use them on the new server until DNS is updated

retlehs commented 5 years ago

the manual way:

scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp admin@example.com:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

ssl:
  enabled: true
  # provider: letsencrypt
  provider: manual
  cert: /local/path/example.com-bundled.cert
  key: /local/path/example.com.key

strarsis commented 2 years ago

@retlehs: Thanks for this guide! Though using the commands above to download the existing certs doesn't work straightforward as I get a permission denied error (root user needed), and scp doesn't support sudo.

retlehs commented 2 years ago

@strarsis you're welcome, sorry it's just some rough notes haha!

did you get the permission error when using the admin user?

strarsis commented 2 years ago

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

Twansparant commented 1 year ago

@retlehs: Yes, I get this error also as admin user, because the /etc/nginx/ssl directory is read-only for root.

Did you find a workaround for this? Switching to root user might fix it, but then you need enter the root's password?

strarsis commented 1 year ago

@Twansparant: For root permissions, one logs in as the admin user via SSH and use sudo (for specific commands) (or sudo su for permanent root permissions) and, if asked, enter the admin password (this typical good practice setup, with no root SSH login, and sudoer admin user is what Trellis uses). With these root permissions one can then list and modify the /etc/nginx/ssl directory and its contents. You may also want to ensure that the ownership and permissions are the same after you are done:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key

Twansparant commented 1 year ago

Thanks @strarsis, I figured it out myself already but switching to root user prompted me for the root password so I had to reset that in DO. All good now, thanks for the help!

retlehs commented 2 months ago

Ref https://discourse.roots.io/t/deploying-a-trellis-site-with-ssl-certificates-prior-to-dns-records-being-in-place/24201/9