Roots Discourse

How to deploy new version of trellis in production

In order to get an updated version of php on my server i have started locally with a merge of Trellis master into a local branch and got that working. Now i want to get this into production.

I have a site with two digital ocean droplets, one for staging and one for production. Both are running ubuntu 16.04.04.

I’m looking for a high-level series of steps to get this latest version of trellis - ubuntu 18.04 / php7.3 installed on staging and then production. Devops not exactly my thing. Downtime is not really an issue but obviously the less the better - and i can absolutely create a new droplet and floating ip if that makes sense. Not using that now.

This is always the easiest option if possible. Deploy new site, copy over any content like uploads, test it all works, then switch over the IP.

How do i get letsencrypt certs installed on the new site? I’ve modified the /hosts/production file to point to the new ip and ran ansible-playbook server.yml -e env=production

I get a fail on the TASK [letsencrypt : Generate the certificates]:

non-zero return code fatal: [138.197.167.219]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:01.730128", "end": "2019-11-25 21:35:37.189278", "rc": 1, "start": "2019-11-25 21:35:35.459150", "stderr": "", "stderr_lines": [], "stdout": "Generating certificate for mysite.org\nError while generating certificate for mysite.org\nTraceback (most recent call last):\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n main(sys.argv[1:])\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 143, in get_crt\n raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))\nValueError: Wrote file to /srv/www/letsencrypt/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0, but couldn't download http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0: Error:\nUrl: http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0\nData: None\nResponse Code: 404\nResponse: <html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>", "stdout_lines": ["Generating certificate for mysite.org", "Error while generating certificate for mysite.org", "Traceback (most recent call last):", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", " main(sys.argv[1:])", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 143, in get_crt", " raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))", "ValueError: Wrote file to /srv/www/letsencrypt/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0, but couldn't download http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0: Error:", "Url: http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0", "Data: None", "Response Code: 404", "Response: <html>", "<head><title>404 Not Found</title></head>", "<body bgcolor=\"white\">", "<center><h1>404 Not Found</h1></center>", "<hr><center>nginx</center>", "</body>", "</html>"]}

I have the floating ip set up and configured at the current production server and want to configure this server and test with an entry in my hosts file.

I couldn’t figure a way around the cert so i simply prepped the server with the db and uploads from production, pointed the floating ip at the new server, and re-provisioned. This built the certs properly. Redeployed production and voila. Some downtime though.

1 Like

Glad you got it all working. You could have just copied the certs from the other server other as well.

Well i considered that as well. Will do that next time. Thanks again for the assist.

To make a nuisance of myself, what files would i need to copy over @swalkinshaw?

I see two locations on the server that have certs:

  • /var/lib/letsencrypt/csrs
  • /etc/nginx/ssl/letsencrypt

There’s also a letsencrypt directory in /srv/www/letsencrypt/ with a ping.txt file in it.

I’m redoing my staging server today to keep everything at the same versions so this will give me an opportunity to test it out.

You want the certificates in /etc/nginx/ssl/letsencrypt

1 Like