Issue reprovisioning live site from non-SSL to SSL

nathobson · February 21, 2017, 12:07am

I’ve got a live site that is working fine without SSL. I now would like to enable SSL on the site as the domain is pointed to the site. I’ve done this before without issue but I’m hitting errors with this site. I can switch between SSL and non-SSL on the staging site fine but if I reprovision the live site with SSL enabled, I get either:

TASK [nginx : Generate strong unique Diffie-Hellman group.] ********************
System info:
  Ansible 2.2.1.0; Darwin
  Trellis at "Require Ansible 2.2.0.0 or greater"
---------------------------------------------------
openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: version
`OPENSSL_1.0.2g' not found (required by openssl)
fatal: [46.101.29.85]: FAILED! => {"changed": true, "cmd": ["openssl", "dhparam", "-out", "dhparams.pem", "2048"], "delta": "0:00:00.002478", "end": "2017-02
-20 23:02:16.145815", "failed": true, "rc": 1, "start": "2017-02-20 23:02:16.143337", "stderr": "openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: versi
on `OPENSSL_1.0.2g' not found (required by openssl)", "stdout": "", "stdout_lines": [], "warnings": []}

or

TASK [letsencrypt : Generate the certificates] *********************************
System info:
  Ansible 2.2.1.0; Darwin
  Trellis at "Require Ansible 2.2.0.0 or greater"
---------------------------------------------------
fatal: [46.101.29.85]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:00.082188", "end": "2017-02-21 00:01:58.518737", "failed": t
rue, "rc": 1, "start": "2017-02-21 00:01:58.436549", "stderr": "", "stdout": "Generating certificate for constantenergy.net\nError while generating certifica
te for constantenergy.net\nTraceback (most recent call last):\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n    main(sys.argv[1:])\
n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.c
a)\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 26, in get_crt\n    raise IOError(\"OpenSSL Error: {0}\".format(err))\nIOError: OpenSSL Error: opens
sl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: version `OPENSSL_1.0.2g' not found (required by openssl)", "stdout_lines": ["Generating certificate for con
stantenergy.net", "Error while generating certificate for constantenergy.net", "Traceback (most recent call last):", "  File \"/usr/local/letsencrypt/acme_ti
ny.py\", line 198, in <module>", "    main(sys.argv[1:])", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", "    signed_crt = get_crt(arg
s.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 26, in get_crt", "    raise IOError(\
"OpenSSL Error: {0}\".format(err))", "IOError: OpenSSL Error: openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: version `OPENSSL_1.0.2g' not found (requ
ired by openssl)"], "warnings": []}

Any ideas? It’s a very recent (Trellis 0.9.9) and pretty vanilla Trellis setup.

nathobson · February 21, 2017, 10:38am

Well I went through with provisioning a fresh production server which worked without issue even though I followed the same process i.e. provisioned without SSL and then transitioned over to SSL. This was to avoid any downtime on the live site:

Launch new DO droplet
Changed local hosts file for the live domain to the new droplet
Provisioned and deployed to new droplet
Moved over assets and database to new server
Updated the DNS record to point to the new IP
Removed local hosts file reference to the domain
Reprovisioned the new server after enabling SSL, no errors
Search and replaced live db via wp-cli to swap out http to https references

All works, no idea why the original server was having issues?

My only issue now is mixed content warning within the backend as (I believe) the WordPress Address (URL) and Site Address (URL) are set the to the non-https domain. Not sure where I would change this?

nathobson · February 21, 2017, 2:17pm

Well… just talking to myself here but I’ll write everything down incase anyone has any of the same problems and stumbles across this.

After reprovisioning the server, I had to also redeploy which updated the WordPress and Site Address URLs as seen in the settings page and therefore all of the backend mixed content warnings.

jdarrohn · November 11, 2017, 9:27am

This was helpful, thank you.