Migrate SSL Certs from one server to another
Anyone have any recommendations for migrating SSL certs from one server to another for a particular domain without having to completely reissue the certs for the new server?
BTW, this is a cpanel to cpanel move.
Any guidance would be appreciated.
Thanks,
Chris
As long as you have the Private Key and the Certificate files you should be fine. Only time you would run into major problems is when switching between different types of webservers, ie Apache and IIS. But I've had excellent success using Transfer Accounts/pkgacct and it always copies the certs for me, no manual intervention required.Originally Posted by netarus
when you do the cpmove, do you assign the domain a dedicated IP? What happens if you move it first to the share IP on the new server and then assign the domain a dedicated IP? Will the cert still work?
That I'm not positive on, but I want to say that the IP information doesn't matter, cpmove should still setup the certs.
List SSL Hosts
When I go into WHM after the transfer, the following is show when I click on 'List SSL Hosts ':
There are no ssl hosts setup!
I did this after transfering a domain that I know has a cert associated with it.
When you transferred it, did you the domain up on it's own IP?
Check to see if you see any certificate files for the domain under /usr/share/ssl/certs and /usr/share/ssl/private.
On our new server, the directory /usr/share/ssl does not even exist on the server.
I'm running CentOS 4.
However, on the old server, I can see all of the certs under /usr/share/ssl.
Would copying them directly from the one server to the other be a good idea?
Thanks!
Are you sure openssl is installed properly? The openssl-0.9.7a-43.16 package provides that directory on my box which is CentOS 4.5.
Well, I see two SSL keys under:
/etc/ssl/private
hrmmm... openssl seems fine. I'm out of ideas.
What keys do you have in /etc/ssl/private? Are you by chance running on 64-bit?
Otherwise I don't know why you wouldn't have a /usr/share/ssl directory... maybe try re-installing the openssl package, but there definitely should be structure under /usr/share/ssl that's created when installing the package. I verified on a test system that installing the package did in fact create that directory (and a number of others under it)
There are two keys under /etc/ssl/private
.. and that is actually kind of interesting... we are running 64-bit. Is there an issue with 64-bit.
Chris
I honestly don't know of specific differences, but it would account for why you don't have /usr/share/ssl (the 64-bit version must store it somewhere else). Do a find command to locate the "cert" folder and see what you come up with.
Sometimes that is the best/easiest way.
As SSL certs are somewhat generic in nature, you could do the following.
On the new Server and for each account that had an SSL Cert, give a Dedicated IP.
On the old Server, run this command:
tar zfc ssl_old.tar.gz /usr/share/ssl/
Transfer the file to new Server and run:
tar zfx ssl_old.tar.gz /usr/share/ssl/
Then, to make sure things are correct, on the new Server run these commands:
/usr/local/apache/bin/httpd -t
- make sure no problems with your httpd file, correct any that show
service httpd stop
... then wait about 5 seconds
service httpd startssl
Now check WHM for "List SSL Hosts" and try any of the accounts using an 'https' URL.
Helping people Host, Create, and Maintain their Web Site
Also providing Server Admin Services - setup / troubleshooting
http://potentproducts.com/
LinkBack URL
About LinkBacks
Reply With Quote