Deploying a Trellis site with SSL certificates prior to DNS records being in place

I have a roots trellis/bedrock/sage 10 and am developing locally and have a digital ocean staging environment (non ssl because it is a sub domain and the NS records for the top level domain need to point directly to the DO droplet in order for DO to generate an SSL certificate).
My current production site which we are migrating to roots trellis/bedrock/sage 10 is a standard WP installation hosted on a managed shared server.

In order for me to deploy the production site to DO I need to point the top level domain to DO and it needs to be done at a registry level ie. I can’t just update the DNS records with my existing host, they have to request the registrar to point the records to digital ocean nameservers.

Anyway, this is my question:

How do I avoid downtime of the production site while I point the top level domain to DO and have https certificate (SSL) generating until the domain resolves successfully to DO.

I am not sure if I am explaining myself well, but basically I want to avoid downtime while I do what is necessary ot get the production environment setup, deployed and https functioning.
Should I use an alternative domain to deploy in the meantime?
Will that create deploy issues down the line when I update the domain to the actual domain?

I am just trying to avoid getting myself into a world of pain if someone can advise on the best way of doing this.

You’ll need to provision the server with a manual SSL certificate first

I’m not aware of an easy way to pull this off. Typically when I have to do this, I’m luckily dealing with an existing Trellis server that I can pull the certs from.

Are you able to run something like certbot from your current production server?

Yeah if you’re worried about downtime, that implies you already have a production site up on that domain with SSL? If so, as @ben said, you can copy over the existing certificate and use the manual option.

Then later, and optionally if you want, switch over to Let’s Encrypt.

So in theory you could copy over the existing Let’s Encrypt certificate from the existing remote server? Where can I find these exactly by the way? There not in:

/srv/www/letsencrypt
/usr/local/letsencrypt

And then use these as the manual provider for the new remote server?
When DNS is resolved, switch to the letsencrypt provider?

Would that work?
Thanks!

Yes, see SSL migration tool · Issue #10 · roots/trellis-cli · GitHub

2 Likes

Awesome, thanks for this!

How do you work around this permission error when using the admin user?
The /etc/nginx/ssl folder is read-only?

Never mind, using root user fixed it for me:

scp root@example.com:/etc/nginx/ssl/letsencrypt/example.com-bundled.cert /local/path
scp root@example.com:/etc/nginx/ssl/letsencrypt/example.com.key /local/path

Also ensure that the ownership (well, it should be root:root) and the permissions are correct after you are done, some examples here:

-rw-r--r-- root root [domain.tld]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
-rw-r--r-- root root [domain.tld]-[hash]-bundled.cert
[...]
-rw------- root root [domain.tld].key

To easily get the cetificates from the server without modfying permissions on existing directories:
(assumes you have trellis-cli installed)

#optional: copy admin password
trellis vault view production | grep "admin_password:" | cut -d: -f2
| grep -oe '[^ ].*$' | pbcopy
# ssh into first production server
ssh admin@example.com

On the server:

# become root user
sudo su
# bundle certificates
tar -czf /home/admin/letsencrypt.tgz -C /etc/nginx/ssl/letsencrypt .
# allow downloading of bundle by admin user
chown admin:sudo /home/admin/letsencrypt.tgz
exit
exit

On local machine:

# optional: create home for certs
mkdir trellis/ssl
# copy certs from server
scp admin@example.com:~/letsencrypt.tgz trellis/ssl
# extract certs into folder
tar -xvf trellis/ssl/letsencrypt.tgz -C trellis/ssl

Then configure trellis/group_vars/production/wordpress_sites.yml as described above:

ssl:
  enabled: true
  # provider: letsencrypt
  provider: manual
  cert: ssl/example.com-bundled.cert
  key: ssl/example.com.key
# provision new server
trellis provision --tags=letsencrypt production
5 Likes

Sorry, here’s a fix to incorrect password-copying command at the top:

trellis vault view production | grep "  password:" | cut -d: -f2 | xargs | pbcopy