# Https site cannot add www redirect after provisioning the first time

**URL:** https://discourse.roots.io/t/https-site-cannot-add-www-redirect-after-provisioning-the-first-time/7511
**Category:** trellis
**Created:** 2016-08-30T14:47:41Z
**Posts:** 16

## Post 1 by @MWDelaney — 2016-08-30T14:47:41Z

Hi,  
Trellis doesn’t seem to be requesting/creating/installing (?) a Let’s Encrypt certificate for the www record for my site upon provisioning.

According to Firefox, which is the most verbose about the problem, the certificate installed is only valid for [domain.com](http://domain.com), and not for [www.domain.com](http://www.domain.com)

There is a valid A record for www, pointed to the site’s IP.

What can I look at to troubleshoot this issue, or to force Trellis to generate a certificate that includes www?

Thanks!

---

## Post 2 by @ben — 2016-08-30T14:50:11Z

Paste the contents of your `wordpress_sites.yml`.

[https://roots-example-project.com](https://roots-example-project.com) was re-provisioned on a new droplet last night with the latest Trellis and is functioning as expected

---

## Post 3 by @MWDelaney — 2016-08-30T14:52:10Z

Ben,  
I’ve replaced the actual URL with “[domain.com](http://domain.com)” in the following. If it’s absolutely necessary to share the URL let me know. Thanks for your quick reply.

The commented out redirects were an attempt to force the matter with Let’s Encrypt and did not work.

```
# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/staging/vault.yml

wordpress_sites:
  domain.com:
    site_hosts:
      - canonical: domain.com
        # redirects:
        # - www.domain.com
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    repo: git@github.com:myorg/domain.com.git # replace with your Git repo URL
    repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: false

```
```

---

## Post 4 by @ben — 2016-08-30T14:58:16Z

You commented out this line for the redirects:

```
# - www.domain.com
```

Since that’s missing, LE is not going to handle `www`.

---

## Post 5 by @MWDelaney — 2016-08-30T15:01:25Z

Ben,  
With that redirect uncommented I get the following error upon provisioning:

```
Could not access the challenge file for the hosts/domains: www.domain.com.
Let's Encrypt requires every domain/host be publicly accessible. Make sure
that a valid DNS record exists for www.domain.com and that they point to this
server's IP. If you don't want these domains in your SSL certificate, then
remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more
details.
```

There is a valid A record for the www record, pointing to the site’s IP (the same IP that the catchall record points to, which works).

Is there another location in Trellis config that I need to enter the “www” version of the URL?

---

## Post 6 by @ben — 2016-08-30T15:02:29Z

Without you providing us with the actual domain it’s hard to give you more specifics.

If LE is saying the DNS isn’t accessible I wouldn’t think that they’re lying. Either check your records or wait?

---

## Post 7 by @MWDelaney — 2016-08-30T15:03:43Z

Ben,  
Thanks again for your quick replies. Reading [https://roots.io/trellis/docs/ssl](https://roots.io/trellis/docs/ssl) it also seems like Trellis should be requesting certs for the www and non-www versions of each domain. Is that not accurate?

---

## Post 8 by @ben — 2016-08-30T15:05:55Z

Looks like those docs are outdated after [https://github.com/roots/trellis/pull/622](https://github.com/roots/trellis/pull/622)

Is your Trellis installation up to date with 0.9.8?

---

## Post 9 by @MWDelaney — 2016-08-30T15:09:35Z

Yes Trellis is up to date with 0.9.8. That definitely helps clarify things.

Is there somewhere else in Trellis config that I need to specify the www URL so that the server “listens” on that URL? The www record is correct at Network Solutions, but LE fails with the above message.

---

## Post 10 by @ben — 2016-08-30T15:14:16Z

No. You can compare with the [roots-example-project.com](http://roots-example-project.com) repository at [https://github.com/roots/roots-example-project.com](https://github.com/roots/roots-example-project.com) which is functioning as you are wanting your site to.

Trellis uses the values under `canonical` [https://github.com/roots/trellis/blob/6ff4142c3d30c047faeb692ce4f504ea6c6bb90f/roles/wordpress-setup/templates/wordpress-site.conf.j2#L10](https://github.com/roots/trellis/blob/6ff4142c3d30c047faeb692ce4f504ea6c6bb90f/roles/wordpress-setup/templates/wordpress-site.conf.j2#L10)

If your server isn’t provisioning correctly then try re-provisioning it (or destroying it).

---

## Post 12 by @MWDelaney — 2016-08-30T15:37:05Z

Okay. Figured it out.

I rebuilt my droplet and reprovisioned from scratch with the redirect entered correctly in `wordpress_sites.yml`, now that I understand this is necessary… and it worked. The cert was generated properly with both the www and non-www addresses.

So apparently you can’t add a www redirect AFTER provisioning the server.

Could this have to do with HSTS preventing non-encrypted traffic?

Either way, I now understand how to set up my `wordpress_sites.yml` files going forward. I appreciate all your attention on this topic; you definitely helped me understand what was going on so that I could find the solution.

Have a great day!

---

## Post 13 by @cfx — 2016-08-30T15:46:24Z

You should be able to add a www redirect URL but you most likely need to re-run provision tag `wordpress-setup` (and `letsencrypt`).

---

## Post 14 by @MWDelaney — 2016-08-30T15:49:22Z

I tried this a few times and was unable. Perhaps I was doing something wrong, though.

---

## Post 15 by @fullyint — 2016-08-30T16:57:30Z

@MWDelaney Indeed, Trellis Let’s Encrypt does not yet handle changes to `site_hosts`. This will be addressed in [roots/trellis#630](https://github.com/roots/trellis/pull/630) or some variant. In the meantime, you can reprovision from scratch, as you did, or similar to what @cfx described, follow steps [here](https://discourse.roots.io/t/https-www-unsecure-and-not-redirecting/7071/31).

---

## Post 16 by @cfx — 2016-08-30T20:18:13Z

I tried this once and it worked. I ran the provision tag `wordpress` then [removed my certificates](https://discourse.roots.io/t/lets-encrypt-issue-when-adding-new-domain-to-multisite/7021/9) and ran the provision tag `letsencrypt`. “Was unable” won’t get you much help :wink: