How do I achieve a for a seamless switch-over triggering neither TLS errors for my users nor the LetsEncrypt retry limit?
Many services.* create their configs and directories where the certificates should be only with switch-configuration. So I’d have to run that in order to get the directory structure into which to copy e.g. the .pem certificate files from the old server. But as soon as I run switch-configuration, NixOS’s acme service will try to fetch certificates, because I haven’t switched the DNS yet.
If I switch the DNS first, my users will have some downtime.
What are clean ways to handle this?
One semi-clean way I can think of: Do the switch-configuration before switching the DNS, thus accepting the rate limit hit, and then copy certs over.
I’m a bit late to seeing this post, and you likely don’t need to do this anymore but I’d like to close it out nonetheless.
Assuming whatever service you used to renew your certs generates account data compatible with lego’s account data, then this is theoretically possible. The main thing you will be fighting is the hashed directories in /var/lib/acme/.lego/${cert} and /var/lib/acme/.lego/accounts.
The easiest way I can think of doing this is to run acme-${cert}.service once, and optionally kill it while its in progress (or as you suggested don’t point your DNS at your new server yet). Then copy the account and cert data you are trying to migrate to the hash-named directories. Looking at the script, the rules which determine a full lego run are:
A key and cert must exist named the same as the first domain the certs apply to. Replace “*” with “_”.
The accounts directory must not be empty
If you satisfy all these conditions (don’t forget to ensure permissions are correct too), then you can “migrate” your certs. Clearly, this isn’t an easy ordeal, and certainly isn’t supported. The ACME module is quite a complex beast and for many reasons just adopting any certs dumped in /var/lib/acme/${cert} is not possible.
Unfortunately the old server does not use lego (I’m migrating from an older Ubuntu to NixOS). Nevertheless what you describe can still be very useful to know for the case that I need to switch between multiple NixOS servers.
but I’d like to close it out nonetheless.