Ben,
I’ve replaced the actual URL with “domain.com” in the following. If it’s absolutely necessary to share the URL let me know. Thanks for your quick reply.
The commented out redirects were an attempt to force the matter with Let’s Encrypt and did not work.
# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/staging/vault.yml
wordpress_sites:
domain.com:
site_hosts:
- canonical: domain.com
# redirects:
# - www.domain.com
local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
repo: git@github.com:myorg/domain.com.git # replace with your Git repo URL
repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
branch: master
multisite:
enabled: false
ssl:
enabled: true
provider: letsencrypt
cache:
enabled: false
```
Ben,
With that redirect uncommented I get the following error upon provisioning:
Could not access the challenge file for the hosts/domains: www.domain.com.
Let's Encrypt requires every domain/host be publicly accessible. Make sure
that a valid DNS record exists for www.domain.com and that they point to this
server's IP. If you don't want these domains in your SSL certificate, then
remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more
details.
There is a valid A record for the www record, pointing to the site’s IP (the same IP that the catchall record points to, which works).
Is there another location in Trellis config that I need to enter the “www” version of the URL?
Ben,
Thanks again for your quick replies. Reading https://roots.io/trellis/docs/ssl it also seems like Trellis should be requesting certs for the www and non-www versions of each domain. Is that not accurate?
Yes Trellis is up to date with 0.9.8. That definitely helps clarify things.
Is there somewhere else in Trellis config that I need to specify the www URL so that the server “listens” on that URL? The www record is correct at Network Solutions, but LE fails with the above message.
I rebuilt my droplet and reprovisioned from scratch with the redirect entered correctly in wordpress_sites.yml, now that I understand this is necessary… and it worked. The cert was generated properly with both the www and non-www addresses.
So apparently you can’t add a www redirect AFTER provisioning the server.
Could this have to do with HSTS preventing non-encrypted traffic?
Either way, I now understand how to set up my wordpress_sites.yml files going forward. I appreciate all your attention on this topic; you definitely helped me understand what was going on so that I could find the solution.
@MWDelaney Indeed, Trellis Let’s Encrypt does not yet handle changes to site_hosts. This will be addressed in roots/trellis#630 or some variant. In the meantime, you can reprovision from scratch, as you did, or similar to what @cfx described, follow steps here.
I tried this once and it worked. I ran the provision tag wordpress then removed my certificates and ran the provision tag letsencrypt. “Was unable” won’t get you much help