How to deploy new version of trellis in production

chinaski · November 24, 2019, 8:26pm

In order to get an updated version of php on my server i have started locally with a merge of Trellis master into a local branch and got that working. Now i want to get this into production.

I have a site with two digital ocean droplets, one for staging and one for production. Both are running ubuntu 16.04.04.

I’m looking for a high-level series of steps to get this latest version of trellis - ubuntu 18.04 / php7.3 installed on staging and then production. Devops not exactly my thing. Downtime is not really an issue but obviously the less the better - and i can absolutely create a new droplet and floating ip if that makes sense. Not using that now.

swalkinshaw · November 24, 2019, 9:29pm

This is always the easiest option if possible. Deploy new site, copy over any content like uploads, test it all works, then switch over the IP.

chinaski · November 25, 2019, 10:04pm

How do i get letsencrypt certs installed on the new site? I’ve modified the /hosts/production file to point to the new ip and ran ansible-playbook server.yml -e env=production

I get a fail on the TASK [letsencrypt : Generate the certificates]:

non-zero return code fatal: [138.197.167.219]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:01.730128", "end": "2019-11-25 21:35:37.189278", "rc": 1, "start": "2019-11-25 21:35:35.459150", "stderr": "", "stderr_lines": [], "stdout": "Generating certificate for mysite.org\nError while generating certificate for mysite.org\nTraceback (most recent call last):\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n main(sys.argv[1:])\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 143, in get_crt\n raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))\nValueError: Wrote file to /srv/www/letsencrypt/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0, but couldn't download http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0: Error:\nUrl: http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0\nData: None\nResponse Code: 404\nResponse: <html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>", "stdout_lines": ["Generating certificate for mysite.org", "Error while generating certificate for mysite.org", "Traceback (most recent call last):", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", " main(sys.argv[1:])", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 143, in get_crt", " raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))", "ValueError: Wrote file to /srv/www/letsencrypt/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0, but couldn't download http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0: Error:", "Url: http://mysite.org/.well-known/acme-challenge/If3LCy0bhWCMoMbfwDsBN72LTVE8j31TuKMS2mlFly0", "Data: None", "Response Code: 404", "Response: <html>", "<head><title>404 Not Found</title></head>", "<body bgcolor=\"white\">", "<center><h1>404 Not Found</h1></center>", "<hr><center>nginx</center>", "</body>", "</html>"]}

I have the floating ip set up and configured at the current production server and want to configure this server and test with an entry in my hosts file.

chinaski · November 25, 2019, 11:56pm

I couldn’t figure a way around the cert so i simply prepped the server with the db and uploads from production, pointed the floating ip at the new server, and re-provisioned. This built the certs properly. Redeployed production and voila. Some downtime though.

swalkinshaw · November 26, 2019, 2:55pm

Glad you got it all working. You could have just copied the certs from the other server other as well.

chinaski · November 26, 2019, 3:52pm

Well i considered that as well. Will do that next time. Thanks again for the assist.

chinaski · November 26, 2019, 5:46pm

To make a nuisance of myself, what files would i need to copy over @swalkinshaw?

I see two locations on the server that have certs:

/var/lib/letsencrypt/csrs
/etc/nginx/ssl/letsencrypt

There’s also a letsencrypt directory in /srv/www/letsencrypt/ with a ping.txt file in it.

I’m redoing my staging server today to keep everything at the same versions so this will give me an opportunity to test it out.

swalkinshaw · December 3, 2019, 3:17am

You want the certificates in /etc/nginx/ssl/letsencrypt

system · January 5, 2020, 8:26pm

This topic was automatically closed after 42 days. New replies are no longer allowed.