Roots Discourse

Letsencrypt challenge conf files not created on server

I’m faced with a similar issue as in LetsEncrypt: Could Not Access Challenge File

The Trellis install at hand looks to be somehow “in limbo” for the letsencrypt challenge conf files of a staging subdomain.

domain.com has SSL in place and it works.

While ansible-playbook server.yml -e env=staging runs for sub.domain.com, it starts skipping where the files would be created:

TASK [letsencrypt : Get list of hosts in current Nginx conf] ********************************
ok: [ip.address] => (item=sub.domain.com)

TASK [letsencrypt : Create needed Nginx confs for challenges] *******************************
skipping: [ip.address] => (item=sub.domain.com)

TASK [letsencrypt : Enable Nginx sites] *****************************************************
skipping: [ip.address] => (item=sub.domain.com)

TASK [letsencrypt : reload nginx] ***********************************************************
skipping: [ip.address]

TASK [letsencrypt : perform nginx reload] ***************************************************
skipping: [ip.address]

This results in no files for sub.domain.com at /var/lib/letsencrypt.

Similar to the linked post, I set up DNS for sub2.domain.com and changed site keys in group_vars/staging/wordpress_sites.yml and group_vars/staging/vault.yml, and everything worked the first try.

I’d prefer using the initial subdomain, as my test suite expects it, but more than that, I’d like to understand what’s going on and / or find a way to fix this.

Since the run is skipping the needed task “Create needed Nginx confs for challenges”, is it a terribly bad idea to comment out the conditions for it and run the tag “letsencrypt” once?

Thanks in advance!

EDIT: Forgot to mention that to reduce downtime, I initially provisioned the server with SSL disabled. Once DNS was ready, I re-provisioned with SSL enabled. Worked for production, but not for staging.

I think I actually ran into this issue again in the past month or so. I think it may have been related to the DNS propagation this time. Because I went back to it a few days later and it finally worked. Has the DNS been fully propagated?

I believe so; it’s been 20hrs, and every tool I’ve used to check for status show the DNS records pointing to the new IP.

sub2.domain.com propagated within minutes and worked without a single hick-up.

I had two domains- One said it was 90% propagated. One said it 100%. Usually when one says it’s 90% it will still work. But I was having issues over about a 48 period on that one. Then I tried it again the next week and it worked. No idea why the propagation was taking so long. Not sure if that will help. Usually 20 hours is plenty of time, but took longer in this case.

In the previous thread it took reformatting my MacBook to fix it, so let’s just hope it’s not that!

1 Like