I wonder if you provisioned the server once with LE enabled, then changed site_hosts in wordpress_sites (e.g., changed example.com to staging.example.com) and provisioned again.
Trellis Lets Encrypt doesn’t yet support changing site_hosts. The browser would see that the server’s SSL cert lacks the new staging.example.com and warn you This site can’t provide a secure connection. You could check the domains (Subject Alternative Name) the cert covers with a command like this:
openssl s_client -connect staging.example.com:443 2>&1 | openssl x509 -text | grep DNS
We just need some brave testers for the fix in roots/trellis#630.
If this applies to you, you could just back up your data/files, rebuild the server, clear relevant entries from known_hosts, and reprovision. I suggest using IPs in hosts/<environment> in general because it should always work, whether not DNS is set up for the domain(s).
If you prefer not to rebuild, you could try these steps:
- SSH into Trellis server and delete the CSRs in
/var/lib/letsencrypt/csrs - SSH into Trellis server and delete the certs in
/etc/nginx/ssl/letsencrypt - Use IPs instead of domain names in
hosts/<environment> - Set ssl
enabled: falseingroup_vars/<environment>/wordpress_sites.yml - Run
ansible-playbook server.yml -e env=<environment> --tags wordpress - Set ssl
enabled: trueingroup_vars/<environment>/wordpress_sites.yml - Run
ansible-playbook server.yml -e env=<environment> --tags letsencrypt
If the page doesn’t load in your browser, double-check on a different browser or machine, maybe clear browser cache for related domains, and maybe clear HSTS headers for related domains.
If you want to help test roots/trellis#630, it’d be great. Once it is merged, none of this would be necessary.