How to change droplets on DO with SSL and minimal downtime?


Currently, I have a DO droplet (Ubuntu 16.04) hosting a website for testing at I created a new droplet (Ubuntu 18.04) with various updates.

I would like to be able to provision this new droplet, test that all is working, then flip the old staging droplet to the new one without any downtime. The problem is, I cannot enable SSL because Let’s Encrypt requires that the canonical hosts have DNS that points to the new droplet before provisioning. This means bringing the current staging droplet offline before I can start provisioning the new droplet.

I will need to do the same process for our production droplet, and cannot have this extensive downtime during provisioning, then a vanilla website up while we import the database, media, etc.

I feel like a floating IP would have resolved this had we originally had the floating IP when creating the first droplet and SSL cert. However, I’m not sure how to address this now.

In summary, I just want to be able to provision and deploy, test it, then flip the DNS from the old droplet to the new one without any major downtime (or any at all preferably).

Any ideas?

Thanks in advance.

When using letsencrypt you can use a manual ssl certificate first which you create using certbot (in manual mode, DNS-verification)

I’ve been using Cloudflare and, I believe this doesn’t need the domain to resolve to the right ip.

You’ll see Trellis error-out if it didn’t work :slight_smile:

When going for minimal downtime:
Change TTL of the A record to lowest value possible first.
Disable SSL, provision the server, set everything up.
Set the A record to the new ip
Provision with --tags letsencrypt (and maybe wordpress, I don’t remember). So it skips all the other tasks.

I believe the SSL Certificate isn’t bound to the IP address (I could be wrong). If you copy the certificates from your production server to your new server and then switch your DNS I believe you should still be able to access over HTTPS with no down time. It’s getting the certificate from Lets Encrypt which relies on the IP(?)

You can attempt to do this by copying all the required certificate files, then making an entry for in your host file pointing to the new IP with certificates in place. This would allow you to test the theory.

All of the directories where certificate data is stored can be found here:

And Here:

And Here:

Before doing this you may need to do some things such originally deploy/provision on a staging URL such as to allow Trellis scripts to complete successfully. Then SSH into the server to change appropriate nginx configs, from to and overwrite any certificate files.

This topic was automatically closed after 42 days. New replies are no longer allowed.