Roots Discourse

LetsEncrypt: Could Not Access Challenge File

I’ve been baffled with this bug for about 24hrs straight at this point. Feeling slightly delirious, so if anyone could point me in the right direction, would be much appreciated.

I’ve been having issues whenever I generate a LetsEncrypt SSL on a staging/production server @ bonsai.jackalope.io. Here is the main error I get when provisioning:

TASK [letsencrypt : Test Acme Challenges] ****************************************************************************************************************************************************************************************************
System info:
  Ansible 2.8.11; Darwin
  Trellis version (per changelog): "Removes ID from Lets Encrypt bundled certificate and make filename stable"
---------------------------------------------------
failed: [bonsai.jackalope.io] (item=bonsai.jackalope.io) => {"ansible_loop_var": "item", "changed": false, "failed_hosts": ["bonsai.jackalope.io"], "item": {"key": "bonsai.jackalope.io", "value": {"branch": "master", "cache": {"enabled": false}, "local_path": "../site", "multisite": {"enabled": false}, "repo": "git@github.com:masoninthesis/bonsai-test.git", "repo_subtree_path": "site", "site_hosts": [{"canonical": "bonsai.jackalope.io"}], "ssl": {"enabled": true, "provider": "letsencrypt"}}}, "rc": 1}
...ignoring
TASK [letsencrypt : Notify of challenge failures] ********************************************************************************************************************************************************************************************
System info:
  Ansible 2.8.11; Darwin
  Trellis version (per changelog): "Removes ID from Lets Encrypt bundled certificate and make filename stable"
---------------------------------------------------
Could not access the challenge file for the hosts/domains:
bonsai.jackalope.io. Let's Encrypt requires every domain/host be publicly
accessible. Make sure that a valid DNS record exists for bonsai.jackalope.io
and that they point to this server's IP. If you don't want these domains in
your SSL certificate, then remove them from `site_hosts`. See
https://roots.io/trellis/docs/ssl for more details.

failed: [bonsai.jackalope.io] (item=bonsai.jackalope.io) => {"ansible_loop_var": "item", "changed": false, "item": {"ansible_loop_var": "item", "changed": false, "failed": true, "failed_hosts": ["bonsai.jackalope.io"], "invocation": {"module_args": {"file": "ping.txt", "hosts": ["bonsai.jackalope.io"], "path": ".well-known/acme-challenge"}}, "item": {"key": "bonsai.jackalope.io", "value": {"branch": "master", "cache": {"enabled": false}, "local_path": "../site", "multisite": {"enabled": false}, "repo": "git@github.com:masoninthesis/bonsai-test.git", "repo_subtree_path": "site", "site_hosts": [{"canonical": "bonsai.jackalope.io"}], "ssl": {"enabled": true, "provider": "letsencrypt"}}}, "rc": 1}}

I tried everything in the book that I could find.

Similar issue from April 2016
Another similar issue from April 2016
And another issue from April 2016 where I make a cameo

The thing is, I do have my bonsai.jackalope.io DNS setup for this. I can ping it. The weird thing is that I change to a different subdomain, it provisions fine. I would think that must be some caching issue, propagation, or something. So I spin up a completely new project, and I have the same issue.

If I switch domains and use test.jackalope.io for my production environment, it works fine. But if bonsai.jackalope.io is on my staging environment, I get the same error.

If I change bonsai to staging-bonsai, it also works fine. It’s just that particular subdomain it doesn’t like.

As suggested from the threads above, I’ve tried (to no avail):

  • Set ssl enabled: false
  • Run ansible-playbook server.yml -e env=<environment> --tags wordpress
    This will create a fresh Nginx conf, which this time shouldn’t be trying to load the apparently missing file /etc/nginx/ssl/letsencrypt/ssltest.com-bundled.cert
  • Set ssl back to enabled: true
  • Run ansible-playbook server.yml -e env=<environment> --tags letsencrypt
    This time the Nginx stuff shouldn’t choke on the missing cert file

I’m currently on Ansible 2.8.122, but I’ve tried 2.7-2.9 with no luck. As a last resort I rebuilt the project from scratch and got the same error. I can ssh in to the servers just fine. I’ve also tried editing the /etc/nginx/sites-available/example.com.conf as suggested here.

Here is a public repo of it.

Any help is appreciated. Thanks!

I’m just circling back to correcting this issue in case any poor soul ever experiences this.

I really have no idea how to replicate it. I think it was something off in my system configuration. So I did a clean install of MacOS Catalina and it works fine now.

Not ideal, but it had been a few years so it’s probably for the best. :smirk:

This topic was automatically closed after 42 days. New replies are no longer allowed.