'Is letsencrypt SSL certificate for existing hostname possible?

I am trying to figure out how to do a migration of a website/server from a digitalocean droplet to Azure (AKS) without disruption to the users / customers.

The digitalocean configuration has the SSL certificate served by letsencrypt (managed through serverpilot) for the hostname foo.example.com.

In the new configuration:

  • ClusterIssuer installed (cert-manager.io/v1)
  • Issuing of SSL certificates automatically for ingress resources are working ok

What I am not sure about is whether I will be able to (indirectly via the ClusterIssuer in AKS) ask for a new certificate for an existing hostname (foo.example.com) when there is already a certificate issued to the same host in the digitalocean droplet?

My gut feeling is telling me no, as all that is required then to make a complete hostile takeover is to get a hold of our DNS configuration and setup a cert for the domain... I am trying to figure out a way to test / verify this but any wisdom on this is much appreciated.

azuressl-certificateazure-akslets-encrypt


Solution 1:[1]

You will be able to configure with cert-manager , and it is ok even if you have an existing certificate available in digital Ocean droplet. I did a similar excersie when I migrated my website from godaddy to aks.

you can refer this link

And if you want to use your existing certificate till it expires , you can still do that if you have the certificate pem file and crt .

kubectl create secret generic domain-tls \
  --from-file=tls.key=<your domain.pem> \
  --from-file=tls.crt=<your domain.crt>

Solution 2:[2]

I can also confirm, that having two certificates for the same domain works just fine from my experience, but also from the fact, that rfc5280 has superseded as fourth reason to revoke a certificate. Having this reason would not make any sense if that would already happen automatically.

Also if you think about your certificate authority as a provider of a high-available cluster, you may wonder how long even letsencrypt needs to verify a domain. If you were to expire a certificate, which had been replaced and/or used by you or a third party for the first time, even if you could, the authority would still have to expire the certificate on all of their cluster nodes and from requesting certificates, you can approximately say how long such a distribution takes: Much too long for your high-available service.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Vineesh Vijayan
Solution 2 MaxC

Related Questions

Problem with configuring ssl certificates in asp .net core API

Problem with configuring ssl certificates in asp .net core API

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Turn off or bypass SSL Certificate Verification in Swift iOS

ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working

Install SSL certificates in my AWS canary puppeteer script

Getting this error while installing DFX on my mac "curl: (60) SSL certificate problem: certificate has expired"

How to install a custom certificate in Symfony server?

ssl ,urllib3,requests .exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548)

How to fix javax.net.ssl.SSLHandshakeException even though i have already added the certificate

Renew kubernetes pki after expired

Error: unable to verify the first certificate in nodejs

How does wildcard ssl certificate match domains

How to create a self signed cerficate using command prompt?

SSLHandshakeException in Eclipse Temurin JRE8 Alpine container for self-signed certificate