migrate server correctly with letsencrypt

Question

I am trying to migrate a server (from old ip to a new ip) and link to a domain name. I tried to copy the entire letsencypt folder from old server to new server along with permission. I got a warning when I tried to access the new server with its ip address but it is accessible. But once I point the domain name to the new server ip. I got error NET::ERR_CERT_COMMON_NAME_INVALID through both the new ip and the domain name. And I tried renew the certificate by

sudo certbot renew

on the new server. It said it was successful and didn't spit out any warning. What is the correct procedure to migrate server?

I'm running 16.04, nginx 1.10.3, and wordpress.

---

I checked the certificate per vidarlo suggested. And it is showing that the certificate is missing.

I checked the files /etc/letsencrypt/live/www.outliip.org/fullchain.pem and /etc/letsencrypt/live/www.outliip.org/privkey.pem. But they are there alright.

And my /nginx/site-available/default is as follows

server {
    listen 80;
       server_name outliip.org www.outliip.org;
    return 301 https://$host$request_uri;
}


server {
    # SSL configuration
    #
     listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.outliip.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.outliip.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot


    root /home/ubuntu/Dropbox/lwebsite;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;


    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
    #   try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php$is_args$args;
    }


  location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

  error_page 404 /404.html;
  error_page 500 502 503 504 /50x.html;

  location = /50x.html {
    root /usr/share/nginx/html;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

 location ~ /\.ht {
    deny all;
  }

        location ~ /.well-known {
                allow all;
        }
  #return 301 https://$server_name$request_uri;
}

Answer 1

I visited your site - outliip.org

The certificate is made out to www.outliip.org, while the site URL is outliip.org, and www.outliip.org redirects to outliip.org. For the purposes of certificates, this is two distinct sites. The hostname of the site must match the hostnames (Common Name or Alternative Name) specified in the certificate.

This is why it is shown as unsafe. The domain does not match the hostname.

Either move your site to www.outliip.org, make a new certificate for outliip.org, or make a new certificate, which includes both www.outliip.org and outliip.org. This can be done by specifying multiple domains (-d outliip.org -d www.outliip.org) when requesting certificates with certbot.

The redirect can be trivially checked as well:

$ curl -I https://www.outliip.org
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 29 Apr 2018 20:02:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=g05refh2co4njmcoic3jp1kk61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Pingback: https://outliip.org/xmlrpc.php
Location: https://outliip.org/