Roots Discourse

Https site cannot add www redirect after provisioning the first time

Hi,
Trellis doesn’t seem to be requesting/creating/installing (?) a Let’s Encrypt certificate for the www record for my site upon provisioning.

According to Firefox, which is the most verbose about the problem, the certificate installed is only valid for domain.com, and not for www.domain.com

There is a valid A record for www, pointed to the site’s IP.

What can I look at to troubleshoot this issue, or to force Trellis to generate a certificate that includes www?

Thanks!

Paste the contents of your wordpress_sites.yml.

https://roots-example-project.com was re-provisioned on a new droplet last night with the latest Trellis and is functioning as expected

Ben,
I’ve replaced the actual URL with “domain.com” in the following. If it’s absolutely necessary to share the URL let me know. Thanks for your quick reply.

The commented out redirects were an attempt to force the matter with Let’s Encrypt and did not work.

# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/staging/vault.yml

wordpress_sites:
  domain.com:
    site_hosts:
      - canonical: domain.com
        # redirects:
        # - www.domain.com
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    repo: git@github.com:myorg/domain.com.git # replace with your Git repo URL
    repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: false

```

You commented out this line for the redirects:

# - www.domain.com

Since that’s missing, LE is not going to handle www.

Ben,
With that redirect uncommented I get the following error upon provisioning:

Could not access the challenge file for the hosts/domains: www.domain.com.
Let's Encrypt requires every domain/host be publicly accessible. Make sure
that a valid DNS record exists for www.domain.com and that they point to this
server's IP. If you don't want these domains in your SSL certificate, then
remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more
details.

There is a valid A record for the www record, pointing to the site’s IP (the same IP that the catchall record points to, which works).

Is there another location in Trellis config that I need to enter the “www” version of the URL?

Without you providing us with the actual domain it’s hard to give you more specifics.

If LE is saying the DNS isn’t accessible I wouldn’t think that they’re lying. Either check your records or wait?

Ben,
Thanks again for your quick replies. Reading https://roots.io/trellis/docs/ssl it also seems like Trellis should be requesting certs for the www and non-www versions of each domain. Is that not accurate?

Looks like those docs are outdated after https://github.com/roots/trellis/pull/622

Is your Trellis installation up to date with 0.9.8?

Yes Trellis is up to date with 0.9.8. That definitely helps clarify things.

Is there somewhere else in Trellis config that I need to specify the www URL so that the server “listens” on that URL? The www record is correct at Network Solutions, but LE fails with the above message.

No. You can compare with the roots-example-project.com repository at https://github.com/roots/roots-example-project.com which is functioning as you are wanting your site to.

Trellis uses the values under canonical https://github.com/roots/trellis/blob/6ff4142c3d30c047faeb692ce4f504ea6c6bb90f/roles/wordpress-setup/templates/wordpress-site.conf.j2#L10

If your server isn’t provisioning correctly then try re-provisioning it (or destroying it).

Okay. Figured it out.

I rebuilt my droplet and reprovisioned from scratch with the redirect entered correctly in wordpress_sites.yml, now that I understand this is necessary… and it worked. The cert was generated properly with both the www and non-www addresses.

So apparently you can’t add a www redirect AFTER provisioning the server.

Could this have to do with HSTS preventing non-encrypted traffic?

Either way, I now understand how to set up my wordpress_sites.yml files going forward. I appreciate all your attention on this topic; you definitely helped me understand what was going on so that I could find the solution.

Have a great day!

1 Like

You should be able to add a www redirect URL but you most likely need to re-run provision tag wordpress-setup (and letsencrypt).

I tried this a few times and was unable. Perhaps I was doing something wrong, though.

@MWDelaney Indeed, Trellis Let’s Encrypt does not yet handle changes to site_hosts. This will be addressed in roots/trellis#630 or some variant. In the meantime, you can reprovision from scratch, as you did, or similar to what @cfx described, follow steps here.

2 Likes

I tried this once and it worked. I ran the provision tag wordpress then removed my certificates and ran the provision tag letsencrypt. “Was unable” won’t get you much help :wink: