I’ve been having some issues getting a staging server set up - hope someone can help!
I can ssh to the droplets IP and can provision and deploy if the ip is used in the hosts file - but if I do that I can’t access the site. I get:
This site can’t provide a secure connection
ssl is enabled with letsencrypt
I figured this is probably because I need to reprovision using the (sub)domain instead of the ip. If I put staging.example.com into hosts I then can’t provision or deploy because I get:
Failed to connect to the host via ssh: Permission denied (publickey,gssapi-
keyex,gssapi-with-mic,password)
I’ve tried deleting known hosts - as far as I can see the setup is as I’d normally use.
Any steps I can follow to get this working?!
I wonder if you provisioned the server once with LE enabled, then changed site_hosts
in wordpress_sites
(e.g., changed example.com
to staging.example.com
) and provisioned again.
Trellis Lets Encrypt doesn’t yet support changing site_hosts
. The browser would see that the server’s SSL cert lacks the new staging.example.com
and warn you This site can’t provide a secure connection
. You could check the domains (Subject Alternative Name) the cert covers with a command like this:
openssl s_client -connect staging.example.com:443 2>&1 | openssl x509 -text | grep DNS
We just need some brave testers for the fix in roots/trellis#630.
If this applies to you, you could just back up your data/files, rebuild the server, clear relevant entries from known_hosts
, and reprovision. I suggest using IPs in hosts/<environment>
in general because it should always work, whether not DNS is set up for the domain(s).
If you prefer not to rebuild, you could try these steps:
- SSH into Trellis server and delete the CSRs in
/var/lib/letsencrypt/csrs
- SSH into Trellis server and delete the certs in
/etc/nginx/ssl/letsencrypt
- Use IPs instead of domain names in
hosts/<environment>
- Set ssl
enabled: false
in group_vars/<environment>/wordpress_sites.yml
- Run
ansible-playbook server.yml -e env=<environment> --tags wordpress
- Set ssl
enabled: true
in group_vars/<environment>/wordpress_sites.yml
- Run
ansible-playbook server.yml -e env=<environment> --tags letsencrypt
If the page doesn’t load in your browser, double-check on a different browser or machine, maybe clear browser cache for related domains, and maybe clear HSTS headers for related domains.
If you want to help test roots/trellis#630, it’d be great. Once it is merged, none of this would be necessary.
Hi - sorry, holidays got in the way. This like a very likely scenario. I’ll give your solution a go if the PR isn’t already accepted by the time I get time to.