Can't connect to host with subdomain (works with IP)

I’ve been having some issues getting a staging server set up - hope someone can help!

I can ssh to the droplets IP and can provision and deploy if the ip is used in the hosts file - but if I do that I can’t access the site. I get:

This site can’t provide a secure connection

ssl is enabled with letsencrypt

I figured this is probably because I need to reprovision using the (sub)domain instead of the ip. If I put staging.example.com into hosts I then can’t provision or deploy because I get:

Failed to connect to the host via ssh: Permission denied (publickey,gssapi-
keyex,gssapi-with-mic,password)

I’ve tried deleting known hosts - as far as I can see the setup is as I’d normally use.

Any steps I can follow to get this working?!

I wonder if you provisioned the server once with LE enabled, then changed site_hosts in wordpress_sites (e.g., changed example.com to staging.example.com) and provisioned again.

Trellis Lets Encrypt doesn’t yet support changing site_hosts. The browser would see that the server’s SSL cert lacks the new staging.example.com and warn you This site can’t provide a secure connection. You could check the domains (Subject Alternative Name) the cert covers with a command like this:

openssl s_client -connect staging.example.com:443 2>&1 | openssl x509 -text | grep DNS

We just need some brave testers for the fix in roots/trellis#630.

If this applies to you, you could just back up your data/files, rebuild the server, clear relevant entries from known_hosts, and reprovision. I suggest using IPs in hosts/<environment> in general because it should always work, whether not DNS is set up for the domain(s).

If you prefer not to rebuild, you could try these steps:

  1. SSH into Trellis server and delete the CSRs in /var/lib/letsencrypt/csrs
  2. SSH into Trellis server and delete the certs in /etc/nginx/ssl/letsencrypt
  3. Use IPs instead of domain names in hosts/<environment>
  4. Set ssl enabled: false in group_vars/<environment>/wordpress_sites.yml
  5. Run ansible-playbook server.yml -e env=<environment> --tags wordpress
  6. Set ssl enabled: true in group_vars/<environment>/wordpress_sites.yml
  7. Run ansible-playbook server.yml -e env=<environment> --tags letsencrypt

If the page doesn’t load in your browser, double-check on a different browser or machine, maybe clear browser cache for related domains, and maybe clear HSTS headers for related domains.

If you want to help test roots/trellis#630, it’d be great. Once it is merged, none of this would be necessary.

Hi - sorry, holidays got in the way. This like a very likely scenario. I’ll give your solution a go if the PR isn’t already accepted by the time I get time to.