Moving SSL site from one server to another

[douglasb]

My employer wants to move a website from its current host to a VM in Microsoft Azure. The domain will remain the same, but the IP of the host machine will be different, obviously. The site requires SSL, starting with the home page.

What is the best way to move this site from one machine to another, with zero (or as close to zreo as possible) downtime? Apparently my boss seems to think that simply changing the DNS information with the registrar to point to the new IP won't work. We are looking at redirects or a service like "DNS Made Easy", but nobody seems to be sure if we need another SSL certificate for the new server, and if getting one will invalidate the old one. Ideas/suggestions?

 

[drebo]

DNS doesn't propagate immediately. You can lower the TTL, but that isn't 100%.

There isn't really a way to ensure 0 downtime. Your best bet is to move it during off-hours or to simply schedule a maintenance window.

Moving the SSL certificate is easy, as well. You can export the private key on the current server and import it on the new server without issue. You can have one SSL cert deployed on as many servers as you want, as long as the DNS name is correct.

 

[douglasb]

By "DNS name", you mean the domain name, correct? I am a software developer, so networking isn't really my forte'.

We are looking at using a DNS failover service like this. Basically, they have nodes that monitor the URL every 2-4 minutes, and if it is unreachable from 2 or more different geographic locations, the URL fails over to a different IP. Supposedly it is some sort of "A record" and propagates almost instantly. Again, I am a software developer, so I don't know a whole lot about networking, but we are doing this for this particular client.

So the idea is that we would get this DNS failover service, set up the new server, get the SSL certificate re-keyed (is this necessary?), and then when the certificate comes back re-keyed (thus invalidating the previous certificate on the old server), we take the old server down, which causes DNS to fail over to the new IP address. Does this seem like something that would work?

 

[drebo]

DNS failover is never instant or near instant for 100% of clients. The reason for this is because most caching DNS servers ignore the TTL you specify for your records. If I configure my DNS server to cache for 24 hours, regardless of what the authoritative server's TTL is, my server isn't going to update its cache for 24 hours and all of my clients will continue to receive that cached entry. I would say that 99% of all ISP DNS servers in the US don't cache for longer than 1 hour, so you're not going to see more than that for downtime, and usually much less. But, there are never any guarantees.

As for the cert, it doesn't need to be rekeyed or reissued. Just export it from the old server and import it on the new server. Although, if you want to get it reissued, then yeah, you'll just create a new signing request on the new server and send that to the authority and they'll reissue it.

Basically, you cannot rely on DNS for reliable failover. Never make this sort of switch during regular hours. Create yourself a maintenance window (Sunday night at 11pm, for instance) and do it then.

 

[douglasb]

DNS failover is never instant or near instant for 100% of clients. The reason for this is because most caching DNS servers ignore the TTL you specify for your records. If I configure my DNS server to cache for 24 hours, regardless of what the authoritative server's TTL is, my server isn't going to update its cache for 24 hours and all of my clients will continue to receive that cached entry. I would say that 99% of all ISP DNS servers in the US don't cache for longer than 1 hour, so you're not going to see more than that for downtime, and usually much less. But, there are never any guarantees.

As for the cert, it doesn't need to be rekeyed or reissued. Just export it from the old server and import it on the new server. Although, if you want to get it reissued, then yeah, you'll just create a new signing request on the new server and send that to the authority and they'll reissue it.

Basically, you cannot rely on DNS for reliable failover. Never make this sort of switch during regular hours. Create yourself a maintenance window (Sunday night at 11pm, for instance) and do it then.

Very helpful advice. I had a feeling that this zero-downtime my boss and the client were seeking wasn't possible, and what you're telling me confirms that.

 

[Jamsan]

Also, double check the T&Cs with your SSL cert provider. While you can technically copy the priv key and cert to as many servers as you want, some providers require you to license the certificate per server. I wouldn't worry about it in this case since you're going to have the cert in both places for all of 5 minutes, but if you begin to load balance your solution across multiple web servers, you may need to provision more licenses of the cert.

However, there's no real way for the vendor to discover this aside from a physical audit, but something to keep in mind if you want to play by the books.

Edit: regarding your downtime requirements - what type of app is it? Is it all static content or dynamically driven from a database or similar? If the former, you could keep both sites active for about 24-48 hours, and all users will get to the site regardless of which IP they're handed via DNS. Once 100% of the requests stop flowing to the old site, you can take it offline. If it's dynamic content, this is more trouble than it's worth.

 

[Red Squirrel]

You will probably have to recreate the cert, but other than that it should be easy to do. Just make sure you have access to the cert provider, registrar and host so it can be all done in one go.

I had to deal with a situation like this at work. The registrar was one company, the DNS provider was another, the host was another, and the people managing the website was another, and I was stuck in the middle being the IT guy. Was a royal pain in the ass trying to coordinate what should be a 5 minute job.

Set the TTL of the domain to like a minute a couple hours before the switch (or longer if the current TTL is very long). All my personal domains are set to 10 minutes, I find I have no reason to set it higher as DNS is not really an intensive protocol, and at least it gives me the option to do an emergency redirect to another server should something go wrong.

 

[Red Squirrel]

Edit: regarding your downtime requirements - what type of app is it? Is it all static content or dynamically driven from a database or similar? If the former, you could keep both sites active for about 24-48 hours, and all users will get to the site regardless of which IP they're handed via DNS. Once 100% of the requests stop flowing to the old site, you can take it offline. If it's dynamic content, this is more trouble than it's worth.

That's another thing to consider too. What I personally like to do for dynamic sites is setup a temp rsync / mysqldump script to move everything everything over to the new one, should be a simple one step deal. The first one will take a while, but then do it again to transfer any changes since the last one. Then immediately set the old site as read only through the software or database and switch DNS over. That way they can at least see the old site they just can't post/change anything.

Or even better if you can do a location redirect to the IP address. Though that wont always work with virtual hosts.

 

[douglasb]

It's dynamic, and connected to MS SQL Server (on the same machine). I question a lot of my employer's ideas, such as hosting the SQL server on the same machine as the website (and he wonders why CPU utilization stays at 100% during load testing...), but I digress. The SSL cert is through GoDaddy, so it's for unlimited machines, so that isn't any issue. The only thing we were worried about is if putting it on the new machine would somehow invalidate it on the old machine. If so, none of the site (not even the front page) would work, due to how it was designed (another questionable decision, out of many).

My other concern is that, in the process of making the switch, the old database keeps getting added to, and those additions get lost in translation. My boss somehow thinks we can keep this website up with no downtime during the switch, and seamlessly keep operating after the switch as if nothing has happened. I have my doubts.

 

[Jamsan]

To be perfectly realistic here, this doesn't sound like a mission critical application. Hosting it all on 1 server (web/db) is not only a poor design from both a security and architecture perspective, but obviously a single point of failure. If he has no concern of downtime in the event the server crashed (which he obviously doesn't because he hasn't taken the time to build out any sort of HA), what does he care if the site isn't available during a maintenance window on a weekend early morning / night?

Clearly, patching has happened against the machine, new code releases, etc., so there must be some sort of maintenance window allotted.

Per the advice in this thread, move your cert, code, and database starting at X am/pm on a Saturday, while simultaneously cutting over your DNS record. Once complete and the new service is up and running (verify by hitting the IP and not the DNS name), cut off the old services to ensure you're not having writes occurring in both places.