Hey guys! I currently have a site in production that has https through ‘Lets Encrypt’. I am trying to point an old domain with it’s own completely separate https certificate (unknown origin) to my new site. I have never done this before and have encountered some issues.
For one thing, pointing the old domains a record to the new server did not work as anytime you attempted to go the old domain it would spit out an https warning/error.
I attempted to add redirects to my site_hosts but that failed as well even after reprovisioning the server multiple times and giving ample time for records to propagate.
More recently with a test domain I own, I attempted to simply forward it to the new domain on trellis which works to a certain extent, but I’m worried this is only working well because it has no existing certificate.
If I was to do this exact same forwarding to the old domain in question, I am worried that the ssl will still spit out issues since the old domains on google, etc still have https attached.
Long story short, what does one do to forward an old domain with https to a new domain on trellis with working Lets Encrypt?
Trellis Lets Encrypt doesn’t yet support changing site_hosts. We just need some brave testers for the fix in roots/trellis#630.
Here’s my suggestion:
Pick a time when your sites’ traffic is low, when it will hurt the least to have weird behavior, then
Point the DNS A record for olddomain.com to the new Trellis IP and save/apply changes.
Add olddomain.com to redirects in group_vars/production/wordpress_sites.yml
Set ssl enabled: false in group_vars/production/wordpress_sites.yml
Run dig olddomain.com +short every 30 sec or so till it returns the new Trellis ip, then
Run ansible-playbook server.yml -e env=production --tags wordpress
SSH into Trellis server and delete the CSRs in /var/lib/letsencrypt/csrs
SSH into Trellis server and delete the certs in /etc/nginx/ssl/letsencrypt
Set ssl enabled: true in group_vars/production/wordpress_sites.yml
Run ansible-playbook server.yml -e env=production --tags letsencrypt
Now just visit the old and new domains in new browser tab to verify that things worked.
If the pages don’t load in your browser, double-check on a different browser or machine, maybe clear browser cache for related domains, and maybe clear HSTS headers for related domains.
If you want to help test roots/trellis#630, it’d be great. Once it is merged, the process will be reduced to the bare minimum: steps 2, 3, 5, 10
Worked on my staging site. Tested with a domain without https but it worked flawlessly as opposed to before so I have faith itll work this time. Thanks man. I’m new to all this and not very knowledgable about ansible, etc. Let me know how I can contribute and I’ll do my best.
Another quick update. Followed these steps exactly again for the production site I launched today and everything worked flawlessly. Thank you so much, you have no idea how much help this was.
I can confirm that @fullyint’s foresight was correct. Steps 2, 3, 5, 10 works, redirecting the old https domain to the new.
One word of caution, step 5 can be misleading; I was getting the new IP address, but step 10 failed until I waited for 5 minutes or so. I guess doing the dig from the trellis server instead of locally will do the trick.