I have a website running with letsencrypt enabled:
It seems to work, but it prompt me to add a security exception because certificate is wrong configured:
I get this in Chrome: NET::ERR_CERT_AUTHORITY_INVALID
I get this in Firefox: SEC_ERROR_UNKNOWN_ISSUER
What I did:
Edit group vars:
ansible-playbook server.yml -e env=staging -K --tags wordpress
ansible-playbook server.yml -e env=staging -K --tags letsencrypt
What am I missing? Thanks!
I found the docs about it
Forget this thread, please
Thanks for posting your troubleshooting steps. This could be a good thread for users experiencing the same issue.
What was your issue and how did you solve it?
Was it your DNS entries for the www. prefixed domain?
I was reading the SSL docs but I have no solution yet. I found this description of the problem wich seems to fit to mine:
Let’s Encrypt has rate limits for their production/real certificates.
While Trellis will prevent these rate limits from being hit, if you
want to test out LE integration, you can use their staging server to get
a “fake” certificate.
Note that browsers will display an error/warning that they don’t
recognize the Certificate Authority so this should only be used for
###Just set the following variable: in a group_vars file
So, I put this variable into
Then, I reprovision server and the problem remains.
Any help will be appreciated.
DNS management is outside Digital Ocean (until old web stops). I have an A record in the domain provider:
stage.lolafonseca.com pointing to my DO droplet IP
I still researching about www prefix and redirection.
How shoud be the DNS record for a stage subdomain with www prefix?
I’ve added A reccord
Is it right?
Does not work yet (maybe beacuse DNS propagation)
If I don’t plan on having any subdomains I usually just add a CNAME with an asterisk that points to the domain.
Your setup is working now; I can ping the address with and without the www. and they both resolve to the same IP.
Ok, so problem persists with right DNS: Browser alerts that is a insecure server. On a staging server. I gess this warning will disappear on production.
Hi, after install from scratch a new bedrock project in the same droplet, I get the same results. Browser tell me that is a insecure server:
Why? I read caerfully the SSL docs and my configuration seems to be all right. The SSL Test labs tell me that is a non trusted certificate:
There are several possible reasons but I have no idea how to detect it and how to fix it.
Any clue or suggestion will be very appreciated! Thanks.
I read caerfully the SSL docs and my configuration seems to be all right.
What is your configuration? Also, are you able to check your server logs for any mention of a problem? What about the terminal output during provisioning?
Thanks for response! I’m going to gather the data for post it.
https://abralaboca.net/ you might double-check that this is not being applied:
The ssl docs mention that
Note that browsers will display an error/warning that they don’t recognize the Certificate Authority so this should only be used for testing purposes.
If you want to use that fake cert authority to avoid rate limits on staging, be sure to only define
letsencrypt_ca with that
staging cert authority in a
If you want a real cert for production, be sure you are not defining
letsencrypt_ca with that
staging cert authority anywhere in
www.stage.lolafonseca.com, I haven’t looked closely but it may be an instance of the as-yet-unresolved issue of
www + subdomains not redirecting, as reported in response to roots/trellis#570. If that is relevant, there is more discussion here Problems with .com.au domains?
Yes, actually even I deleted
letsencrypt_ca variable from staging files too (until I get things working).
What is your configuration? As I said in the first post.
Terminal output during provisioning: http://pastebin.com/ySXEzqY1
Nginx error log: http://pastebin.com/d1XKhFtg (there are several SSL errors)
So you’re using multisite with domain mapping? That’s a pretty important detail you left out.
Please check this thread: Let's Encrypt issue when adding new domain to multisite
Also, can we see your
wordpress_sites.yml? You can mask domain names if you like.
Of course. Here it is: http://pastebin.com/X6AmztzA
In all domains
I’m going to read the refered post. Thank you.
Ok so you’re just using multiple domains on one box without multisite. Please try this: Let’s Encrypt issue when adding new domain to multisite and add
-vvvv to the end of the command in step #3. Paste output so we can see it. Thanks!
I tried it:
$ sudo rm -rf /var/lib/letsencrypt /usr/local/letsencrypt /srv/www/letsencrypt /etc/nginx/ssl/letsencrypt /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
Generate new certificates
ansible-playbook server.yml -e env=production -K --tags letsencrypt
Reboot remote machine
With same results. This is the output of provision with letsencrypt tag (verbose mode):
I don’t know if it is meaningfull, there is no
$ cat /etc/cron.d/letsencrypt-certificate-renewal
cat: /etc/cron.d/letsencrypt-certificate-renewal: No such file or directory
@aitor reviewing your pasted output, I don’t see any
letsencrypt tasks running. This leaves me wondering if you’re running an older version of Trellis before the
letsencrypt role was added. Please confirm whether the
letsencrypt role appears in these places:
Yes that had me scratching my head too. Thanks @fullyint.
I confirm. There is no letsencrypt roles
Excuse my ignorance