Adding Redirect for non-www to which I do not have DNS access

mZoo · April 3, 2020, 9:25am

We are redirecting non-www to www because non-www is in use by client intranet.

Provision is failing at TASK [letsencrypt : Test Acme Challenges] because DNS for example.com points to a different IP address than hosting server.

I think that the final result nginx config files should look something like:

server {
    #listen 80 is default
    server_name www.example.com;
    return 301 $scheme://example.com$request_uri;
}

server {
    server_name  www.example.com;
    #The rest of your configuration goes here#
}

Would it make sense to to skip letsencrypt for the non-www domain listed under the site_hosts:redirects?

"site_hosts": [{"canonical": "www.example.com", "redirects": ["example.com"]}]

Is this something that would be done in the task that’s breaking?

- name: Test Acme Challenges
  test_challenges:
    hosts: "{{ site_hosts }}"
  register: letsencrypt_test_challenges
  ignore_errors: true
  when: site_uses_letsencrypt
  with_dict: "{{ wordpress_sites }}"

Perhaps the solution is to add a when clause, but I’m not sure how to reference the {{ site_hosts }} dict contents.

Can one of you wonderful (and healthy, I hope) developers enlighten me?

Thanks a lot.

alwaysblank · April 4, 2020, 2:08am

Can you just remove the “naked” domain from redirects? IIRC then Trellis won’t attempt to check it for LE cert generation.

mZoo · April 6, 2020, 5:30pm

Well that’s what I had initially:

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: www.example.com
    local_path:

Problem is that then there isn’t a redirect created in the nginx config.

As it turns out, the client had the DNS A record pointed to the wrong IP address!

So the redirection from www. to naked is working correctly now.

As I worked through the issue, the site went down altogether because the aborted letsencrypt deployments updated the nginx configs, but not the certificates (or maybe the opposite) so the nginx config paths were pointing to nonexistent certs:

UPDATE. I broke the site because I tried to manually update /etc/nginx/sites-enabled and restart nginx.

It seems that had happened was that the old certs had been removed, but the new ones hadn’t been validated. So running sudo systemctl restart nginx returned with errors.

Using sudo nginx -s I was able to see:

nginx: [emerg] cannot load certificate "/etc/nginx/ssl/letsencrypt/example.com-f0c2c46-bundled.cert": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com-f0c2c46-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)..

Within /etc/nginx/ssl/letsencrypt/ (which needs sudo to view) I find

/etc/nginx/ssl/letsencrypt/example.com-DIFFERENT_HASH-bundled.cert

So I update sites-available/americareny.com.conf in two places to match the cert that actually exists.

I’m still unsure if there’s a way to create nginx redirect configs without needing to generate a cert for the redirect domain, but since it’s working for now, I will probably let it go.

system · May 15, 2020, 9:25am

This topic was automatically closed after 42 days. New replies are no longer allowed.