Thanks, Scott. Not sure what exactly you mean by “what happens”? But when I run .renew-certs.py manually, it runs on python2 and returns:
The required CSR file /var/lib/letsencrypt/csrs/example.com-3224635.csr does not exist. This could happen if you changed site_hosts and have not yet rerun the letsencrypt role. Create the CSR file by re-provisioning (running the Trellis server.yml playbook) with `--tags letsencrypt`
When I run trellis provision --tags letsencrypt production:
TASK [letsencrypt : Notify of challenge failures] ******************************
System info:
Ansible 2.10.1; Darwin
Trellis version (per changelog): "Allow WP cron intervals to be configurable"
---------------------------------------------------
Could not access the challenge file for the hosts/domains: www.example.com.
Let's Encrypt requires every domain/host be publicly accessible. Make sure
that a valid DNS record exists for www.example.com and that they point to
this server's IP. If you don't want these domains in your SSL certificate,
then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for
more details.
failed: [142.93.etc...
The server is configured to run over non-www. Does the www in the output have relevance to that?
The server is configured to run over non-www . Does the www in the output have relevance to that?
Yes, because Trellis automatically redirects www.host.tld to host.tld so you still need DNS records for every domain/host.
So to recap the issue:
something caused the hashes to change (new site host is the most frequent cause of this)
renew script won’t work without reprovisioning with the lets encrypt role (as the error says, which you did)
the role fails because it can’t access the challenge file (likely due to a DNS issue) which means it can’t create the CSR
Hopefully this is just a DNS issue and you can easily add the record. Your original idea of manually changing the hash could work to get the cert renewed; it shouldn’t break anything at least. But you should really fix the bigger issue regardless.
I was able to remove the www redirects paremeter from group_vars/env/wordpress_sites.yml and renew the cert for JUST non-www, but then, of course, requests to www failed: