# Https://www Unsecure and Not Redirecting

**URL:** https://discourse.roots.io/t/https-www-unsecure-and-not-redirecting/7071
**Category:** trellis
**Created:** 2016-06-27T00:19:48Z
**Posts:** 35

## Post 1 by @Simeon — 2016-06-27T00:19:48Z

Hey guys,

I’ve got a successfully deployed site that works at the [https://root](https://root) domain using Lets Encrypt, but if I type in [https://www.root](https://www.root) it gives a “Connection is not private” warning and does not redirect.

I’ve tried setting `www_redirect` in the wordpress\_sites file but can’t load the site with it set to true or false.

Any ideas?

---

## Post 2 by @cfx — 2016-06-27T01:47:11Z

Did you go back through [the Trellis SSL docs](https://roots.io/trellis/docs/ssl/)? Please paste your config file and Ansible version here.

---

## Post 3 by @Simeon — 2016-06-27T04:58:29Z

I just tried adding the `wp_home` and `wp_siteurl` fields as that page recommends but it made no difference after another provision and deploy. Config below for production, using Ansible 2.0.2.0

```
wordpress_sites:
  pipercollective.com.au:
    site_hosts:
      - pipercollective.com.au
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    repo: git@github.com:SimeonGriggs/pipercollective.com.au.git # replace with your Git repo URL
    repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    www_redirect: true
    env:
      wp_home: https://pipercollective.com.au
      wp_siteurl: https://pipercollective.com.au/wp      
    cache:
      enabled: false
```

---

## Post 4 by @fullyint — 2016-06-27T06:56:36Z

This is very likely an instance of the as-yet-unresolved issue of international domains not redirecting, as reported in response to [roots/trellis#570](https://github.com/roots/trellis/pull/570#commitcomment-17137346).

---

## Post 5 by @Simeon — 2016-06-27T07:11:21Z

Bah. I hope not. It’s already a bit of a pain to have to edit config files just to get the .com.au to work. The site is straight-up broken if the www loads with security errors and won’t redirect :confused:

---

## Post 6 by @fullyint — 2016-06-27T07:33:54Z

I searched again and found the discourse [thread](https://discourse.roots.io/t/problems-with-com-au-domains/6680) I vaguely remembered addressing the issue. Turns out you were on that thread, so you’ve already implemented a [temporary solution](https://discourse.roots.io/t/problems-with-com-au-domains/6680/9) before. An alternative temporary solution might be to set up a specific redirect using an [nginx include](https://roots.io/trellis/docs/nginx-includes/).

---

## Post 7 by @Simeon — 2016-06-27T08:17:32Z

Yeah your workaround in that thread got the site actually launching, but there remains this issue with www subdomain.

---

## Post 8 by @Simeon — 2016-06-27T08:25:35Z

As for the nginx include, I’m not really following that documentation. And the www redirect works on my development server (though it’s non-https). It just won’t redirect the [https://www](https://www) in production.

---

## Post 9 by @fullyint — 2016-06-27T19:44:54Z

I’m not certain this will work, but you could try the [temporary solution](https://discourse.roots.io/t/problems-with-com-au-domains/6680/9) (I think you’ve applied that already) then run [these steps](https://discourse.roots.io/t/letsencrypt-acme-challenge-error/6295/7) to hopefully iron out potential problems in your nginx conf.

If that doesn’t resolve the issue, could you update us on what the latest errors are exactly?

I apologize for mentioning the nginx includes option because looking at it a little more, I see that it will not currently accommodate your redirect on the domain level. The problem is that the [includes](https://github.com/roots/trellis/blob/263d05561f1aa0b61ba5162cb71d752cdba54fb3/roles/wordpress-setup/templates/wordpress-site.conf.j2#L43) happen within the `server` block but in your case would need to create a separate server block. If you’re curious, however, here is an [example](https://discourse.roots.io/t/diving-into-trellis-running-a-fresh-unchanged-config/5935/7) of using nginx includes.

---

## Post 10 by @swaincreates — 2016-06-28T16:17:44Z

Not sure if this is problem, but reminds me of an issue I had with SSL redirects because the certs and ssl config file were not put in the redirect block in the conf file. This PR fixed it [https://github.com/roots/trellis/pull/537](https://github.com/roots/trellis/pull/537). But check your conf file and make sure the redirect block has the needed ssl certs.

---

## Post 11 by @Simeon — 2016-06-29T03:49:15Z

I’m not really following everything that’s being said in that PR, but my site has the corrected versions of those conf files in my version of Trellis.

Also I tried setting ssl enabled :false, deploying, then changing and deploying again. No fix.

---

## Post 12 by @swaincreates — 2016-06-29T14:31:21Z

Sorry yea not super clear in PR. My point was making sure that in your sites-enabled/website.org file making sure that the block that the redirects SSL www to non-www has ssl info in it so like:

```
server {
  listen 443 ssl spdy;

  server_name www.example.org;
    return 301 $scheme://example.org$request_uri;

  include ssl.conf;
  include ssl-stapling.conf;

  ssl_certificate /etc/nginx/ssl/example.pem;
  ssl_trusted_certificate /etc/nginx/ssl/example.pem;
  ssl_certificate_key /etc/nginx/ssl/example.key;
}
```

This is an older version of Trellis so yours might look different but it needs to have those certificates or else it will give the Connection is not private warning and not redirect.

I’ve never used letsencrypt, but I guess it’d have to be wildcard for it to redirect from that www? IDK

---

## Post 13 by @Simeon — 2016-06-30T01:52:20Z

Hmm, I’ve taken a look at my file doesn’t have anything like your…

```
server_name www.example.org;
    return 301 $scheme://example.org$request_uri;
```

I added it into wordpress-site.conf.js, deployed, and got a ‘too many redirects’ error.

My development version doesn’t have https enabled and it redirects www to root fine. But the production server just won’t do it. Will keep experimenting with this conf file I guess.

---

## Post 14 by @treb0r — 2016-07-15T13:26:50Z

I just ran into this issue myself.

The www subdomain is not secured and is not redirecting to root.

Anyone managed to get it working?

---

## Post 16 by @treb0r — 2016-07-15T16:11:32Z

…and for the record, it’s an international domain so likely that the issue reported in response to [roots/trellis#570](https://github.com/roots/trellis/pull/570#commitcomment-17137346) is indeed the culprit as pointed out by @fullyint.

---

## Post 18 by @Simeon — 2016-07-18T01:12:07Z

Update:

I’m still having this issue. I was hoping removing all Let’s Encrypt data [like in this thread](https://discourse.roots.io/t/lets-encrypt-issue-when-adding-new-domain-to-multisite/7021/9?u=simeon) and re-provisioning would fix it, but it didn’t.

I created a new instance if the Staging server, provisioned, deployed and even migrated the DB from Production to Staging, and it does not have the same problem. Though, the Staging server has a .xyz domain, and the Production has .com.au – so it could still be related to international domains.

(But then that said, I’ve deployed another .com.au website using Trellis/Let’s Encrypt and it does not have this issue … confusing!)

---

## Post 19 by @treb0r — 2016-07-18T14:04:57Z

Thanks for the reply.

I’m going to try with a fresh droplet.

One thing I’m not sure about: if I snapshot the existing droplet and then refresh it back to a clean install of Ubuntu 12.04 and then re-provision with a fresh let’s encrypt certificate, could I go back and use the old snapshot and the old certificate again if necessary?

Just wondering…

---

## Post 21 by @treb0r — 2016-07-19T20:34:49Z

Okay, I’ve tried the following:

1. Fresh droplet

2. Modified line 32 of `lib/trellis/plugins/filter/filters.py` as described [here](https://discourse.roots.io/t/problems-with-com-au-domains/6680/9).

3. Run the steps as described by @fullyint [here](https://discourse.roots.io/t/letsencrypt-acme-challenge-error/6295/7).

This time ansible completed without an error, but the www subdomain is still insecure and not redirecting.

Looking at the nginx config in sites-available, I can see the following server block:

```
server {
  listen 443 ssl http2;

  include h5bp/directive-only/ssl.conf;
  include h5bp/directive-only/ssl-stapling.conf;

  ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  ssl_buffer_size 1400; # 1400 bytes to fit in one MTU                                                                               

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

  ssl_certificate /etc/nginx/ssl/letsencrypt/volunteeringmatters.org.uk-bundled.cert;
  ssl_certificate_key /etc/nginx/ssl/letsencrypt/volunteeringmatters.org.uk.key;
  server_name www.volunteeringmatters.org.uk;

  return 301 $scheme://volunteeringmatters.org.uk$request_uri;
}
```

any help gratefully received.

---

## Post 22 by @treb0r — 2016-07-20T06:37:37Z

Looking at it with fresh eyes this morning, I’ve noticed that Firefox gives this error:

`SSL_ERROR_BAD_CERT_DOMAIN`

So it seems that the problem is that the Let’s Encrypt certificate does not include the www subdomain.

I think I’ll bite the bullet and try installing a different certificate manually.

---

## Post 23 by @fullyint — 2016-07-20T06:55:50Z

> [@treb0r](#):
>
> 1. Modified line 32 of lib/trellis/plugins/filter/filters.py

@treb0r Could you share your mod here, for review?

I think you’ll have success after making that mod, and _then_ doing the following.

1. a fresh droplet (so there’s no LE stuff on it)  
OR
2. SSH in to the remote and

- delete the CSRs in `/var/lib/letsencrypt/csrs` and
- delete the certs in `/etc/nginx/ssl/letsencrypt`

Then run `server.yml` again.  
Maybe you already tried these steps _after_ making the mod.

* * *

> [@treb0r](#):
>
> So it seems that the problem is that the Let’s Encrypt certificate does not include the www subdomain

That was my estimation of your cert (no `www`):

```
$ openssl s_client -connect www.volunteeringmatters.org.uk:443 -servername www.volunteeringmatters.org.uk | openssl x509 -noout -text

    X509v3 Subject Alternative Name:
        DNS:volunteeringmatters.org.uk
```

I’m working on a PR to recreate the CSRs and certs if `site_hosts` or `www_redirect` are modified. I’ll hopefully at least post it for review in the next day or two.

As for the steps to make the `www_redirect` work for international domains, it will require some extensive careful work, which accounts for the delay.

---

## Post 24 by @treb0r — 2016-07-20T07:31:21Z

Thanks for the reply.

> [@fullyint](#):
>
> Could you share your mod here, for review?

`if len(host.split('.')) > 2 and ( ('.').join(host.split('.')[-2:]) != 'org.uk' ):`

> [@fullyint](#):
>
> I think you’ll have success after making that mod, and then doing the following.

Okay, I’ll give it a go. I think I’ve got two more attempts before I run into the rate limit for the domain. I must have run the first provision before I modified that file before.

> [@fullyint](#):
>
> I’m working on a PR to recreate the CSRs and certs if site\_hosts or www\_redirect are modified. I’ll hopefully at least post it for review in the next day or two.
> 
> As for the steps to make the www\_redirect work for international domains, it will require some extensive careful work, which accounts for the delay.

Sorry if I sound impatient, you know how it is when a client site is broken.

I’m eternally grateful for the fantastic work that you guys do with roots and I understand that these kind of issues are par for the course when it comes to iterative software development.

---

## Post 25 by @treb0r — 2016-07-20T19:51:49Z

@fullyint It worked! :grinning:

I would like to buy you guys beer.

@Simeon Give it another go dude…

---

## Post 26 by @Simeon — 2016-07-20T22:53:17Z

That’s cool there’s a fix for this now … but it only appears to work on a fresh droplet. I tried removing the Certs as described above – but my site is already live – and that wasn’t enough to fix this issue.

Guess I’ll need to pull a local copy of the site and start it over to fix it.

Good to know for next time though!

---

## Post 27 by @treb0r — 2016-07-21T07:28:40Z

> [@Simeon](#):
>
> Guess I’ll need to pull a local copy of the site and start it over to fix it.

Are you using DO?

You may know this already but in case you don’t, they have a handy rebuild feature that allows you to blank the droplet and start with a fresh copy of the OS while keeping the same ip (I always take a snapshot first).

One thing to watch however is that they don’t insert the SSH key(s) from your DO account so you will need to make sure you can access the email address associated with the account to get the root password of the rebuilt droplet.

I used WP migrate DB pro to pull the DB and then rebuilt the droplet and was up and running again in ten minutes.

---

## Post 28 by @Simeon — 2016-07-21T11:02:31Z

I’m using Vultr ([https://www.vultr.com](https://www.vultr.com)) who seem like a DO-clone except unlike DO they actually have a Server based in Australia.

They’ve got a similar feature which I was hesitant to use but didn’t consider taking a full snapshot first. I’m already using WP Migrate DB Pro to sync development / staging / production but there’s a fair few ‘moving parts’ on this particular project – like WooCommerce – so I really want to make sure if I’m doing the nuclear option that I can get it back up successfully.

Thanks for the tip and following this through though.

---

## Post 29 by @swalkinshaw — 2016-07-27T03:11:52Z

This has been officially solved and merged into Trellis: [https://github.com/roots/trellis/pull/622](https://github.com/roots/trellis/pull/622)

Big thanks to @fullyint for spearheading this work :clap:

---

## Post 30 by @Simeon — 2016-08-01T05:51:09Z

After updating Trellis, updating my wordpress\_sites files, I’m getting this error when trying to provision new certificates:

```
TASK [letsencrypt : Generate CSRs]
'site_hosts' is undefined
fatal: [EXAMPLE IP]: FAILED! => {"failed": true}
```

My site hosts are setup like so:

```
site_hosts:
  - canonical: example.com.au
    redirects:
      - www.example.com.au
```

I also now have the following in my error log…

```
2016/08/01 04:30:01 [warn] 763#763: conflicting server name "example.com.au" on 0.0.0.0:443, ignored
2016/08/01 04:34:56 [warn] 30624#30624: conflicting server name "example.com.au" on 0.0.0.0:443, ignored
2016/08/01 04:34:57 [warn] 763#763: conflicting server name "example.com.au" on 0.0.0.0:443, ignored
2016/08/01 04:48:27 [emerg] 1480#1480: BIO_new_file("/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2016/08/01 04:48:36 [emerg] 727#727: BIO_new_file("/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2016/08/01 05:05:44 [emerg] 723#723: BIO_new_file("/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2016/08/01 05:22:51 [emerg] 712#712: BIO_new_file("/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2016/08/01 05:27:05 [emerg] 722#722: BIO_new_file("/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/example.com.au-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
```

…and if set ssl enabled: false I get this error on provisioning:

`AnsibleUndefinedVariable: 'site_hosts_canonical' is undefined`

---

## Post 31 by @fullyint — 2016-08-01T07:14:39Z

@Simeon you mentioned updating your `wordpress_sites` files but could you confirm that you updated [all files as in roots/trellis#622](https://github.com/roots/trellis/pull/622/files)? I suspect your files are missing the [`site_hosts` definition](https://github.com/roots/trellis/blob/aa7c0645f4e88cf0bb2717aa2d1251e463c89c3e/group_vars/all/helpers.yml#L13) in `group_vars/all/helpers.yml`, potentially among other things.

Once you have the full set of updates, I suggest you run the entire `server.yml` playbook (without specifying any `--tags`). If that runs into trouble, you could then run just  
`ansible-playbook server.yml -e env=production --tags wordpress`  
to work out the Nginx confs, and then run  
`ansible-playbook server.yml -e env=production --tags letsencrypt`

* * *

> [@Let's Encrypt issue when adding new domain to multisite](https://discourse.roots.io/t/lets-encrypt-issue-when-adding-new-domain-to-multisite/7021/10):
>
> I wonder if a future version of Trellis might be smart enough to detect if there’s new `site_hosts` and remove all existing `letsencrypt` data

I’m currently testing an update to implement this. In the meantime, if you’re working on a site/project with some existing letsencrypt CSRs/certs, you may need to do one of these:

> [@fullyint](#):
>
> 1. a fresh droplet (so there’s no LE stuff on it)  
> OR
> 2. SSH in to the remote and  
> delete the CSRs in `/var/lib/letsencrypt/csrs` and  
> delete the certs in `/etc/nginx/ssl/letsencrypt`

---

## Post 32 by @Simeon — 2016-08-01T07:21:58Z

Ah you’re so right. I just bulk overwrote everything in Trellis but brought the old `group_vars` directory along, which means I didn’t have the new and updated files in the `all` directory. Trying now.

Edit: It works! Had to SSH into the remote and remove the old CSRs as described, then another provision and deploy.

www now redirects to non-www with fully green SSL on my international domain!

:smiley:

---

## Post 33 by @Simeon — 2016-08-02T03:20:28Z

@fullyint @swalkinshaw

I didn’t know where to put this, but I think these fixes have broken the changes required in `Vagrantfile` [according to the docs](https://roots.io/trellis/docs/multisite/) to setup multisite.

In the docs: `aliases.each do |host|`  
Should now be: `hostnames.each do |host|`

Couldn’t run `vagrant up` without changing this.

---

## Post 34 by @swalkinshaw — 2016-08-02T04:17:40Z

Good catch. You can do a PR yourself if you want: [https://github.com/roots/docs](https://github.com/roots/docs)

---

## Post 35 by @Simeon — 2016-08-02T05:02:43Z

…think I did it. First PR ever