Roots Discourse

LetsEncrypt Problems

letsencrypt

#1

I am using Trellis/Bedrock/Sage on DigitalOcean and am having problems with LetsEncrypt.

If I use the recommended LetsEncrypt settings (i.e. provider = letsencrypt) I get the following error on provision:

non-zero return code
nginx: [emerg]
SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/letsencrypt/example.com.key") failed
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": true, "cmd": ["nginx", "-t"], "delta": "0:00:00.019259", "end": "2019-02-22 11:45:59.061749", "rc": 1, "start": "2019-02-22 11:45:59.042490", "stderr_lines": ["nginx: [emerg] SSL_CTX_use_PrivateKey_file(\"/etc/nginx/ssl/letsencrypt/example.com.key\") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

NO MORE HOSTS LEFT *************************************************************
	to retry, use: --limit @/Users/benedict/Dropbox/_DIGITAL/example.com/trellis/server.retry

So then I tried using the manual method. I install the certs manually and change my wordpress_sites to:
provider: manual
cert: /etc/letsencrypt/live/staging.example.com/fullchain.pem
key: /etc/letsencrypt/live/staging.example.com/privkey.pem

And when I do this I get the following error:

Could not find or access
'/etc/letsencrypt/live/staging.example.com/fullchain.pem' on the Ansible
Controller.
If you are using a module and expect the file to exist on the remote, see the
remote_src option
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: If you are using a module and expect the file to exist on the remote, see the remote_src option
failed: [xxx.xxx.xxx.xxx] (item=example.com) => {"changed": false, "item": {"key": "example.com", "value": {"branch": "dev", "cache": {"enabled": false}, "local_path": "../site", "multisite": {"enabled": false}, "repo": "git@github.com:benedictsc/moli-ie.git", "repo_subtree_path": "site", "site_hosts": [{"canonical": "staging.example.com"}], "ssl": {"cert": "/etc/letsencrypt/live/staging.example.com/fullchain.pem", "enabled": true, "key": "/etc/letsencrypt/live/staging.example.com/privkey.pem", "provider": "manual"}}}}
	to retry, use: --limit @/Users/benedict/Dropbox/_DIGITAL/example.com/trellis/server.retry

I have looked through the responses to a similar issue here (LetsEncrypt Acme Challenge error) and tried all of the methods, but no joy.

The only way I can get the certs to work is with the manual method and by referencing the files on my local computer – which is obviously not a long term solution.

Thanks to anyone who can shed some light on this!


#2

Can you try running the provision with the -vvv flag to get some more detail on the errors?


#3

Thanks for the help. In the end I worked out that I had the release of Trellis where there were issues around this – which seems to have been fixed in early January. I pulled the latest version of trellis and spun up a new droplet and finally everything is working (now using the default letsencrypt method).