Deploying a Trellis site with SSL certificates prior to DNS records being in place

manu.weg · November 8, 2022, 12:07pm

I have a roots trellis/bedrock/sage 10 and am developing locally and have a digital ocean staging environment (non ssl because it is a sub domain and the NS records for the top level domain need to point directly to the DO droplet in order for DO to generate an SSL certificate).
My current production site which we are migrating to roots trellis/bedrock/sage 10 is a standard WP installation hosted on a managed shared server.

In order for me to deploy the production site to DO I need to point the top level domain to DO and it needs to be done at a registry level ie. I can’t just update the DNS records with my existing host, they have to request the registrar to point the records to digital ocean nameservers.

Anyway, this is my question:

How do I avoid downtime of the production site while I point the top level domain to DO and have https certificate (SSL) generating until the domain resolves successfully to DO.

I am not sure if I am explaining myself well, but basically I want to avoid downtime while I do what is necessary ot get the production environment setup, deployed and https functioning.
Should I use an alternative domain to deploy in the meantime?
Will that create deploy issues down the line when I update the domain to the actual domain?

I am just trying to avoid getting myself into a world of pain if someone can advise on the best way of doing this.

ben · November 9, 2022, 3:36pm

You’ll need to provision the server with a manual SSL certificate first

I’m not aware of an easy way to pull this off. Typically when I have to do this, I’m luckily dealing with an existing Trellis server that I can pull the certs from.

Are you able to run something like certbot from your current production server?

swalkinshaw · November 10, 2022, 12:10am

Yeah if you’re worried about downtime, that implies you already have a production site up on that domain with SSL? If so, as @ben said, you can copy over the existing certificate and use the manual option.

Then later, and optionally if you want, switch over to Let’s Encrypt.

Twansparant · November 11, 2022, 3:04pm

So in theory you could copy over the existing Let’s Encrypt certificate from the existing remote server? Where can I find these exactly by the way? There not in:

/srv/www/letsencrypt
/usr/local/letsencrypt

And then use these as the manual provider for the new remote server?
When DNS is resolved, switch to the letsencrypt provider?

Would that work?
Thanks!

ben · November 11, 2022, 3:18pm

Yes, see SSL migration tool · Issue #10 · roots/trellis-cli · GitHub

Twansparant · November 11, 2022, 7:36pm

Awesome, thanks for this!

Twansparant · November 14, 2022, 1:30pm

How do you work around this permission error when using the admin user?
The /etc/nginx/ssl folder is read-only?

Never mind, using root user fixed it for me:

scp root@example.com:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp root@example.com:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

strarsis · November 14, 2022, 2:30pm

Also ensure that the ownership (well, it should be root:root) and the permissions are correct after you are done, some examples here:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key