Let's Encrypt Error

Testing the new trellis version with Let’s Encrpt configured. I have an already provisioned production server, and I went ahead and did server provisioning for a staging site. Everything worked OK, rebooted and tested the production site again and all was fine.

I tried ./deploy.sh staging stg.mydomain.com

I got an error on Wordpress Installed? task. Looks like it can’t connect to the DB. I think that’s because I forgot to make the vault.yml site key match the wordpress_sites.yml. One said mydomain.com and the other was stg.mydomain.com. I fixed that, and tried to provision the staging setup again.

This time I got this error:

TASK [letsencrypt : Generate the initial certificate] **************************
fatal: []: FAILED! => {“changed”: false, “cmd”: ["./renew-certs.py"], “delta”: “0:00:01.209595”, “end”: “2016-03-24 14:31:57.735555”, “failed”: true, “rc”: 1, “start”: “2016-03-24 14:31:56.525960”, “stderr”: “”, “stdout”: “Generating certificate for stg.mydomain.com\nError while generating certificate for stg.mydomain.com\nParsing account key…\nParsing CSR…\nRegistering account…\nAlready registered!\nVerifying www.stg.mydomain.com…\nTraceback (most recent call last):\n File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in \n main(sys.argv[1:])\n File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n File “/usr/local/letsencrypt/acme_tiny.py”, line 123, in get_crt\n wellknown_path, wellknown_url))\nValueError: Wrote file to /srv/www/letsencrypt/iYEVJ8gUc-4QORNnMNQGRPLvPDROc-4pZHs5rjoRxL0, but couldn’t download http://www.stg.mydomain.com/.well-known/acme-challenge/iYEVJ8gUc-4QORNnMNQGRPLvPDROc-4pZHs5rjoRxL0”, “stdout_lines”: [“Generating certificate for stg.mydomain.com”, “Error while generating certificate for stg.mydomain.com”, “Parsing account key…”, “Parsing CSR…”, “Registering account…”, “Already registered!”, “Verifying www.stg.mydomain.com…”, “Traceback (most recent call last):”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in “, " main(sys.argv[1:])”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", " File “/usr/local/letsencrypt/acme_tiny.py”, line 123, in get_crt", " wellknown_path, wellknown_url))", “ValueError: Wrote file to /srv/www/letsencrypt/iYEVJ8gUc-4QORNnMNQGRPLvPDROc-4pZHs5rjoRxL0, but couldn’t download http://www.stg.mydomain.com/.well-known/acme-challenge/iYEVJ8gUc-4QORNnMNQGRPLvPDROc-4pZHs5rjoRxL0”], “warnings”: []}
to retry, use: --limit @server.retry

It says it’s already registered. I also noticed that it references www.stg.mydomain.com. That isn’t configured in my DNS and don’t expect to use it. I added it anyways to my DNS, and ran provisioning again.

I got the same error the second time. What am I doing wrong?

Do I need to start from scratch on a server? The trellis version I was using was 3 months old for this particular test site. Just updated the test site to see how it works.

I ran it a third time, and all of a sudden it passed that step with no changes from me. It error’d out on another step. Found that had to do with needed nginx v1.9.2, and I was on 1.8.1. did a sudo apt-get upgrade and ran deploy again, now it is failing on :

Trigger nginx reload task
with the error “reload: Job is not running: nginx\n”

nginx is running currently.


Ugh. After just rebooting over and over and re-provisioning & deploying. It finally got all the way through.

However, I noticed there is a letsencrypt-mydomain.com.conf file in sites-enabled folder still. It points to my stg.mydomain.com folder. I can delete this manually and all is good, but what did I miss in the process?

So here’s what happened with your first Let’s Encrypt error:

Trellis has a not-so well document feature:

www_redirect - whether to redirect www/non-www counterparts of site_hosts (default: true)

Say you have mydomain.com, it’s a good practice to only serve it from either www.mydomain.com, or the non-www version. But you still need the DNS records and Nginx configured. So by default Trellis detects if you host has www or not and sets up the redirects.

Problem: we should probably turn this off for sub-domains. The feature only makes sense for “root” domains.
Solution: you could set www_redirect: false in your WP site to disable it or do what you did and add a DNS record. But I do suggest setting it to false since you don’t need it anyway.

Your other problems with to do with Nginx could have led to letsencrypt-mydomain.com.conf not being disabled.

Since this is a staging server, it might be worthwhile to set that www_redirect option and just completely re-do the server if you can.

I’m also currently working on a better feature to detect if the Let’s Encrypt “challenges” will work before that certification generation. In your case, you would have gotten a nice error message telling you about the DNS/domain issue.


OK that makes sense.

So the letsencrypt-mydomain.com should be disabled? For now, I will just delete it from the sites-enabled folder. Good to know about the www_redirect. Will use it!

And yes, I can start over with a new server and will eventually. Thanks for the help.

Yeah once you’ve successfully gotten the certificates that site conf can be disabled.

Just to follow-up: Trellis now ignores subdomains for the redirect feature https://github.com/roots/trellis/issues/524