Letsencrypt setup with multiple domains on same server

I have a website running with letsencrypt enabled:

It seems to work, but it prompt me to add a security exception because certificate is wrong configured:

I get this in Firefox: SEC_ERROR_UNKNOWN_ISSUER

What I did:

Edit group vars:

      enabled: true
      provider: letsencrypt
      wp_home: https://stage.lolafonseca.com
      wp_siteurl: https://stage.lolafonseca.com/wp

I ran:

ansible-playbook server.yml -e env=staging -K --tags wordpress
ansible-playbook server.yml -e env=staging -K --tags letsencrypt

What am I missing? Thanks!

I found the docs about it

Forget this thread, please :upside_down:

Thanks for posting your troubleshooting steps. This could be a good thread for users experiencing the same issue.

What was your issue and how did you solve it?

Was it your DNS entries for the www. prefixed domain?

I was reading the SSL docs but I have no solution yet. I found this description of the problem wich seems to fit to mine:


Let’s Encrypt has rate limits for their production/real certificates.
While Trellis will prevent these rate limits from being hit, if you
want to test out LE integration, you can use their staging server to get
a “fake” certificate.

Note that browsers will display an error/warning that they don’t
recognize the Certificate Authority so this should only be used for
testing purposes.

###Just set the following variable: in a group_vars file
letsencrypt_ca: “https://acme-staging.api.letsencrypt.org

So, I put this variable into group_vars/staging/main.yml

Then, I reprovision server and the problem remains.
Any help will be appreciated.

DNS management is outside Digital Ocean (until old web stops). I have an A record in the domain provider:
stage.lolafonseca.com pointing to my DO droplet IP

I still researching about www prefix and redirection.

How shoud be the DNS record for a stage subdomain with www prefix?

I’ve added A reccord

Is it right?

Does not work yet (maybe beacuse DNS propagation)

If I don’t plan on having any subdomains I usually just add a CNAME with an asterisk that points to the domain.

Your setup is working now; I can ping the address with and without the www. and they both resolve to the same IP.


Ok, so problem persists with right DNS: Browser alerts that is a insecure server. On a staging server. I gess this warning will disappear on production.

Hi, after install from scratch a new bedrock project in the same droplet, I get the same results. Browser tell me that is a insecure server:


Why? I read caerfully the SSL docs and my configuration seems to be all right. The SSL Test labs tell me that is a non trusted certificate:


There are several possible reasons but I have no idea how to detect it and how to fix it.

Any clue or suggestion will be very appreciated! Thanks.

I read caerfully the SSL docs and my configuration seems to be all right.

What is your configuration? Also, are you able to check your server logs for any mention of a problem? What about the terminal output during provisioning?

Thanks for response! I’m going to gather the data for post it.

For https://abralaboca.net/ you might double-check that this is not being applied:

letsencrypt_ca: "https://acme-staging.api.letsencrypt.org"

The ssl docs mention that

Note that browsers will display an error/warning that they don’t recognize the Certificate Authority so this should only be used for testing purposes.

If you want to use that fake cert authority to avoid rate limits on staging, be sure to only define letsencrypt_ca with that staging cert authority in a group_vars/staging file.

If you want a real cert for production, be sure you are not defining letsencrypt_ca with that staging cert authority anywhere in group_vars/all or group_vars/production etc.

As for www.stage.lolafonseca.com, I haven’t looked closely but it may be an instance of the as-yet-unresolved issue of www + subdomains not redirecting, as reported in response to roots/trellis#570. If that is relevant, there is more discussion here Problems with .com.au domains?


Yes, actually even I deleted letsencrypt_ca variable from staging files too (until I get things working).

What is your configuration? As I said in the first post.
Terminal output during provisioning: http://pastebin.com/ySXEzqY1
Nginx error log: http://pastebin.com/d1XKhFtg (there are several SSL errors)

So you’re using multisite with domain mapping? That’s a pretty important detail you left out.

Please check this thread: Let's Encrypt issue when adding new domain to multisite

Also, can we see your wordpress_sites.yml? You can mask domain names if you like.

Of course. Here it is: http://pastebin.com/X6AmztzA

I have

      enabled: false
      subdomains: false

In all domains

I’m going to read the refered post. Thank you.

Ok so you’re just using multiple domains on one box without multisite. Please try this: Let’s Encrypt issue when adding new domain to multisite and add -vvvv to the end of the command in step #3. Paste output so we can see it. Thanks!

I tried it:

  1. Remove certificates
    $ sudo rm -rf /var/lib/letsencrypt /usr/local/letsencrypt /srv/www/letsencrypt /etc/nginx/ssl/letsencrypt /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem

  2. Generate new certificates
    ansible-playbook server.yml -e env=production -K --tags letsencrypt

  3. Reboot remote machine

  4. Start Nginx

With same results. This is the output of provision with letsencrypt tag (verbose mode):

I don’t know if it is meaningfull, there is no etc/cron.d/letsencrypt-certificate-renewal:

$ cat /etc/cron.d/letsencrypt-certificate-renewal
cat: /etc/cron.d/letsencrypt-certificate-renewal: No such file or directory
1 Like

@aitor reviewing your pasted output, I don’t see any letsencrypt tasks running. This leaves me wondering if you’re running an older version of Trellis before the letsencrypt role was added. Please confirm whether the letsencrypt role appears in these places:

  • /Volumes/B/Documentos/trellis2/ansible/roles (compare)
  • /Volumes/B/Documentos/trellis2/ansible/roles/server.yml (compare)
1 Like

Yes that had me scratching my head too. Thanks @fullyint.

I confirm. There is no letsencrypt roles :sweat:
Excuse my ignorance

1 Like