I’ve been having some issues getting a staging server set up - hope someone can help!
I can ssh to the droplets IP and can provision and deploy if the ip is used in the hosts file - but if I do that I can’t access the site. I get:
This site can’t provide a secure connection
ssl is enabled with letsencrypt
I figured this is probably because I need to reprovision using the (sub)domain instead of the ip. If I put staging.example.com into hosts I then can’t provision or deploy because I get:
Failed to connect to the host via ssh: Permission denied (publickey,gssapi-
I’ve tried deleting known hosts - as far as I can see the setup is as I’d normally use.
Any steps I can follow to get this working?!
I wonder if you provisioned the server once with LE enabled, then changed
wordpress_sites (e.g., changed
staging.example.com) and provisioned again.
Trellis Lets Encrypt doesn’t yet support changing
site_hosts. The browser would see that the server’s SSL cert lacks the new
staging.example.com and warn you
This site can’t provide a secure connection. You could check the domains (Subject Alternative Name) the cert covers with a command like this:
openssl s_client -connect staging.example.com:443 2>&1 | openssl x509 -text | grep DNS
We just need some brave testers for the fix in roots/trellis#630.
If this applies to you, you could just back up your data/files, rebuild the server, clear relevant entries from
known_hosts, and reprovision. I suggest using IPs in
hosts/<environment> in general because it should always work, whether not DNS is set up for the domain(s).
If you prefer not to rebuild, you could try these steps:
- SSH into Trellis server and delete the CSRs in
- SSH into Trellis server and delete the certs in
- Use IPs instead of domain names in
- Set ssl
enabled: false in
ansible-playbook server.yml -e env=<environment> --tags wordpress
- Set ssl
enabled: true in
ansible-playbook server.yml -e env=<environment> --tags letsencrypt
If the page doesn’t load in your browser, double-check on a different browser or machine, maybe clear browser cache for related domains, and maybe clear HSTS headers for related domains.
If you want to help test roots/trellis#630, it’d be great. Once it is merged, none of this would be necessary.
Hi - sorry, holidays got in the way. This like a very likely scenario. I’ll give your solution a go if the PR isn’t already accepted by the time I get time to.