I want to swap them so that the public server is on the other box. I can swap the IP addresses of the boxes to avoid DNS issues.
What’s the best way to avoid any Let’s Encrypt cert problems when I bring them back up? Can I just swap the current .caddy directories between the two boxes?
If you’re worried about certificate issues, there won’t be any as long as Caddy is accessible at the IP address specified by each of its managed domains. You don’t need to copy the .caddy directory at all (unless you’ve got more domains than LetsEncrypt’s rate limit).
Requisitioning a new set of certificates is pretty quick, and you avoid transmitting your private keys (even if you would have been transmitting them securely).
With that said, you can indeed copy the entire .caddy directory, and if it’s placed in the correct location with the correct permissions, Caddy will start using them instead of requesting new ones.
If it’s absolute zero downtime you require, though, here’s how I’d do it:
sudo rsync -az [old-host]:/root/.caddy /root/.caddy on [new-host]
(or other file path as appropriate)
sudo rsync -az [old-host]:/etc/Caddyfile /etc/Caddyfile on [new-host]
(or other file path as appropriate)
Run caddy on new host looks OK, all sites listed, no errors. Run caddy on old host looks OK, http:// and https:// running, no errors.
But when I access a hostname with Firefox, it says: “Secure Connection Failed” and “An error occurred during a connection to passchier.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG”. Nothing appears in the logs both on old and new VPS.
Aaargh! Now all my sites are down, because I had to switch back to my old VPS and didn’t shut the new one down in time, and caddy refuses to run due to letsencrypt rate limit exceeded…
How long does that last?? Is there anything that can be done?
EDIT: Apparently, that doesn’t last very long, less than an hour for sure.
Did you copy the .caddy folder across? How did you get rate limited?
That error looks like Caddy didn’t pick up the certificates on the old VM. That might be my oversight; I think there might be no reason for old-host Caddy to load them from disk.
No. One host should have the normal configuration, with all the applicable sites; the other should proxy all requests to the host with the normal configuration.
Both sites should have the complete set of ACME files before attempting this, so LetsEncrypt shouldn’t be contacted at any point (unless those certificates are under 30 days).
OK, I get a 502 now, nothing logged on the new host or the old host. Added logging to the old host, and it logs: “[ERROR 502 /] x509: cannot validate certificate for 45.58.49.179 because it doesn’t contain any IP SANs”.
EDIT: Solved it. It needs a hostname and not an IP address. As soon as I put the hostname in, it started to work.
Yes, it all seems to work; I’ve changed the A pointers of all the domains too now, but still getting traffic on the proxy. But that works, the key was using a (any?) domainname that resolves to the intended IP address. So no IP…! (I did that because I didn’t have a domain name resolving to the new IP yet…)