I’m having a similar issue, and the steps above aren’t helping.
I first cloned Trellis on March 14 of this year, and today updated it via getting a patch from the latest commit on March 14 to the latest now, and applying it to my repo. I’m pretty confident I resolved all conflicts correctly, though it’s possible I screwed something up.
I’m trying to enable Let’s Encrypt on an existing site. Whether I remove the Nginx site configuration symlink or not, and whether I disable SSL first to run the wordpress tag tasks before enabling it again to run the letsencrypt tag tasks, I still always hit the challenge failures error.
I’m using the bedrock-site-protect
role on this particular environment to add HTTP basic auth. Could that be affecting anything?
When I disable SSL and run the wordpress
tasks the operation is successful. Then I switch SSL back on and run the letsencypt
tasks. It’s all successful as far as “Create test Acme Challenge file”. Then it tries to “Test Acme Challenges”, and from this point I get the following:
TASK [letsencrypt : Test Acme Challenges] **************************************
failed: [staging.PRIMARY.DOMAIN] (item={'value': {u'repo_subtree_path': u'site', u'multisite': {u'enabled': False}, u'cache': {u'enabled': False}, u'repo': u'git@MY.GIT.HOST:MY/REPO.git', u'ssl': {u'enabled': True, u'provider': u'letsencrypt'}, u'local_path': u'../site', u'branch': u'master', u'site_hosts': [u'staging.PRIMARY.DOMAIN', u'staging.SECONDARY.DOMAIN']}, 'key': u'PRIMARY.DOMAIN'}) => {"changed": false, "failed": true, "failed_hosts": ["staging.PRIMARY.DOMAIN", "staging.SECONDARY.DOMAIN"], "item": {"key": "PRIMARY.DOMAIN", "value": {"branch": "master", "cache": {"enabled": false}, "local_path": "../site", "multisite": {"enabled": false}, "repo": "git@MY.GIT.HOST:MY/REPO.git", "repo_subtree_path": "site", "site_hosts": ["staging.PRIMARY.DOMAIN", "staging.SECONDARY.DOMAIN"], "ssl": {"enabled": true, "provider": "letsencrypt"}}}, "rc": 1}
...ignoring
TASK [letsencrypt : Notify of challenge failures] ******************************
failed: [staging.PRIMARY.DOMAIN] (item={u'changed': False, '_ansible_no_log': False, 'failed': True, '_ansible_item_result': True, 'item': {'value': {u'repo_subtree_path': u'site', u'multisite': {u'enabled': False}, u'cache': {u'enabled': False}, u'repo': u'git@MY.GIT.HOST:MY/REPO.git', u'ssl': {u'enabled': True, u'provider': u'letsencrypt'}, u'local_path': u'../site', u'branch': u'master', u'site_hosts': [u'staging.PRIMARY.DOMAIN', u'staging.SECONDARY.DOMAIN']}, 'key': u'PRIMARY.DOMAIN'}, u'rc': 1, 'invocation': {'module_name': u'test_challenges', u'module_args': {u'path': u'.well-known/acme-challenge', u'hosts': [u'staging.PRIMARY.DOMAIN', u'staging.SECONDARY.DOMAIN'], u'file': u'ping.txt'}}, u'failed_hosts': [u'staging.PRIMARY.DOMAIN', u'staging.SECONDARY.DOMAIN']}) => {"failed": true, "item": {"changed": false, "failed": true, "failed_hosts": ["staging.PRIMARY.DOMAIN", "staging.SECONDARY.DOMAIN"], "invocation": {"module_args": {"file": "ping.txt", "hosts": ["staging.PRIMARY.DOMAIN", "staging.SECONDARY.DOMAIN"], "path": ".well-known/acme-challenge"}, "module_name": "test_challenges"}, "item": {"key": "PRIMARY.DOMAIN", "value": {"branch": "master", "cache": {"enabled": false}, "local_path": "../site", "multisite": {"enabled": false}, "repo": "git@MY.GIT.HOST:MY/REPO.git", "repo_subtree_path": "site", "site_hosts": ["staging.PRIMARY.DOMAIN", "staging.SECONDARY.DOMAIN"], "ssl": {"enabled": true, "provider": "letsencrypt"}}}, "rc": 1}, "msg": "Could not access the challenge file for the hosts/domains: staging.PRIMARY.DOMAIN, staging.SECONDARY.DOMAIN. Let's Encrypt requires every domain/host be publicly accessible. Make sure that a valid DNS record exists for staging.PRIMARY.DOMAIN, staging.SECONDARY.DOMAIN and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details.\n"}
RUNNING HANDLER [common : reload nginx] ****************************************
included: /home/ME/PROJECT-PATH/code/trellis/roles/common/tasks/reload_nginx.yml for staging.PRIMARY.DOMAIN
RUNNING HANDLER [common : command] *********************************************
System info:
Ansible 2.0.2.0; Linux
Trellis at "Add connection-related cli options to ping command"
---------------------------------------------------
nginx: [emerg] BIO_new_file("/etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-
bundled.cert") failed (SSL: error:02001002:system library:fopen:No such file
or directory:fopen('/etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-
bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
fatal: [staging.PRIMARY.DOMAIN]: FAILED! => {"changed": false, "cmd": ["nginx", "-t"], "delta": "0:00:00.007275", "end": "2016-05-05 20:18:46.940078", "failed": true, "rc": 1, "start": "2016-05-05 20:18:46.932803", "stderr": "nginx: [emerg] BIO_new_file(\"/etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-bundled.cert\") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/PRIMARY.DOMAIN-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stdout": "", "stdout_lines": [], "warnings": []}
RUNNING HANDLER [common : service] *********************************************
skipping: [staging.PRIMARY.DOMAIN]
to retry, use: --limit @server.retry
PLAY RECAP *********************************************************************
staging.PRIMARY.DOMAIN : ok=29 changed=2 unreachable=0 failed=2
This says at one point to make sure that valid DNS records exist for these domains – they do.
It then says a file /etc/nginx/ssl/letsencrypt/*
doesn’t exist; I can confirm this: that letsencrypt
directory exists but is empty.
My wordpress_sites.yml
file looks like this:
wordpress_sites:
PRIMARY_DOMAIN:
site_hosts:
- staging.PRIMARY.DOMAIN
- staging.SECONDARY.DOMAIN
local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
repo: git@MY.GIT.HOST:MY/REPO.git
repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
branch: master
multisite:
enabled: false
ssl:
enabled: true
provider: letsencrypt
cache:
enabled: false
htpasswd:
name: WEBUSER
password: WEBPASS
Any ideas? Any more information I can provide?