Roots Discourse

Could not access challenge file

For unknown reasons the letsencrypt setup fails with a domain where it always worked (here called `www.example.com``) before. Nothing changed and the site can be used in browser as usual.
Is the site really responsible or is there another, underlying issue that causes the error message?:

Could not access the challenge file for the hosts/domains: www.example.com. Let's Encrypt requires every domain/host be publicly accessible. Make sure that a valid DNS record exists for www.example.com and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details.

Did it happen more than once? Or consistently? Like any network call, it could easily fail for a number of reasons and result in that message. If it consistently happens (and the site works), then its weird and maybe a bug.

Either way it’s better to ensure what’s happening well before the cert needs to be renewed.

It seems to happen randomly when letsencrypt/cert settings have been changed.

When this happens again I try to do more tests like cancelling before the challenge files have been created and testing external access.

Just happened again. During full normal playbook run, challenge files of two sites weren’t apparently reachable.

Could not access the challenge file for the hosts/domains:
www.example1.com. Let's Encrypt requires every domain/host be publicly
accessible. Make sure that a valid DNS record exists for www.example1.com
and that they point to this server's IP. If you don't want these domains in
your SSL certificate, then remove them from `site_hosts`. See
https://roots.io/trellis/docs/ssl for more details.
failed: [production-server] (item=example1.com) => {"changed": false, "item": "example1.com"}
---------------------------------------------------
Could not access the challenge file for the hosts/domains: 
www.example2.com. Let's Encrypt requires every domain/host be publicly 
accessible. Make sure that a valid DNS record exists for www.example2.com 
and that they point to this server's IP. If you don't want these domains in 
your SSL certificate, then remove them from `site_hosts`. See
https://roots.io/trellis/docs/ssl for more details.
failed: [production-server] (item=example2.com) => {"changed": false, "item": "example2.com"}

Both sites can be used as normally, certificates are OK, too.

Are the challenged files checked from the ansible control node/workstation or from the server itself? Could it be the DNS servers used by the checking system or some issue with hosts file (which is pristine on the workstation)?
When the ansible playbook run failed at this point, are the challenge files still in place?