Letsencrypt setup with multiple domains on same server

aitor · July 6, 2016, 7:11am

I have a website running with letsencrypt enabled:

It seems to work, but it prompt me to add a security exception because certificate is wrong configured:

I get this in Chrome: NET::ERR_CERT_AUTHORITY_INVALID
I get this in Firefox: SEC_ERROR_UNKNOWN_ISSUER

What I did:

Edit group vars:

ssl:
      enabled: true
      provider: letsencrypt
env:
      wp_home: https://stage.lolafonseca.com
      wp_siteurl: https://stage.lolafonseca.com/wp

I ran:

ansible-playbook server.yml -e env=staging -K --tags wordpress
ansible-playbook server.yml -e env=staging -K --tags letsencrypt

What am I missing? Thanks!

aitor · July 6, 2016, 10:45am

I found the docs about it

Forget this thread, please

cfx · July 6, 2016, 11:30am

Thanks for posting your troubleshooting steps. This could be a good thread for users experiencing the same issue.

What was your issue and how did you solve it?

Was it your DNS entries for the www. prefixed domain?

aitor · July 6, 2016, 11:51am

I was reading the SSL docs but I have no solution yet. I found this description of the problem wich seems to fit to mine:

Staging

Let’s Encrypt has rate limits for their production/real certificates.
While Trellis will prevent these rate limits from being hit, if you
want to test out LE integration, you can use their staging server to get
a “fake” certificate.

Note that browsers will display an error/warning that they don’t
recognize the Certificate Authority so this should only be used for
testing purposes.

###Just set the following variable: in a group_vars file
letsencrypt_ca: “https://acme-staging.api.letsencrypt.org”

So, I put this variable into group_vars/staging/main.yml

Then, I reprovision server and the problem remains.
Any help will be appreciated.

DNS management is outside Digital Ocean (until old web stops). I have an A record in the domain provider:
stage.lolafonseca.com pointing to my DO droplet IP

I still researching about www prefix and redirection.

aitor · July 6, 2016, 1:00pm

How shoud be the DNS record for a stage subdomain with www prefix?

I’ve added A reccord
www.stage.lolafonseca.com

Is it right?

Does not work yet (maybe beacuse DNS propagation)

cfx · July 6, 2016, 1:53pm

If I don’t plan on having any subdomains I usually just add a CNAME with an asterisk that points to the domain.

Your setup is working now; I can ping the address with and without the www. and they both resolve to the same IP.

aitor · July 6, 2016, 2:03pm

Ok, so problem persists with right DNS: Browser alerts that is a insecure server. On a staging server. I gess this warning will disappear on production.

aitor · July 15, 2016, 3:27pm

Hi, after install from scratch a new bedrock project in the same droplet, I get the same results. Browser tell me that is a insecure server:

https://abralaboca.net/

Why? I read caerfully the SSL docs and my configuration seems to be all right. The SSL Test labs tell me that is a non trusted certificate:

https://www.ssllabs.com/ssltest/analyze.html?d=abralaboca.net

There are several possible reasons but I have no idea how to detect it and how to fix it.

Any clue or suggestion will be very appreciated! Thanks.

cfx · July 15, 2016, 3:44pm

I read caerfully the SSL docs and my configuration seems to be all right.

What is your configuration? Also, are you able to check your server logs for any mention of a problem? What about the terminal output during provisioning?

aitor · July 15, 2016, 3:50pm

Thanks for response! I’m going to gather the data for post it.

fullyint · July 15, 2016, 4:21pm

For https://abralaboca.net/ you might double-check that this is not being applied:

letsencrypt_ca: "https://acme-staging.api.letsencrypt.org"

The ssl docs mention that

Note that browsers will display an error/warning that they don’t recognize the Certificate Authority so this should only be used for testing purposes.

If you want to use that fake cert authority to avoid rate limits on staging, be sure to only define letsencrypt_ca with that staging cert authority in a group_vars/staging file.

If you want a real cert for production, be sure you are not defining letsencrypt_ca with that staging cert authority anywhere in group_vars/all or group_vars/production etc.

As for www.stage.lolafonseca.com, I haven’t looked closely but it may be an instance of the as-yet-unresolved issue of www + subdomains not redirecting, as reported in response to roots/trellis#570. If that is relevant, there is more discussion here Problems with .com.au domains?

aitor · July 15, 2016, 4:38pm

Yes, actually even I deleted letsencrypt_ca variable from staging files too (until I get things working).

aitor · July 15, 2016, 5:09pm

What is your configuration? As I said in the first post.
Terminal output during provisioning: http://pastebin.com/ySXEzqY1
Nginx error log: http://pastebin.com/d1XKhFtg (there are several SSL errors)

cfx · July 15, 2016, 5:23pm

So you’re using multisite with domain mapping? That’s a pretty important detail you left out.

Please check this thread: Let's Encrypt issue when adding new domain to multisite

Also, can we see your wordpress_sites.yml? You can mask domain names if you like.

aitor · July 15, 2016, 10:16pm

Of course. Here it is: http://pastebin.com/X6AmztzA

I have

multisite:
      enabled: false
      subdomains: false

In all domains

I’m going to read the refered post. Thank you.

cfx · July 16, 2016, 3:52am

Ok so you’re just using multiple domains on one box without multisite. Please try this: Let’s Encrypt issue when adding new domain to multisite and add -vvvv to the end of the command in step #3. Paste output so we can see it. Thanks!

aitor · July 16, 2016, 8:27am

I tried it:

Remove certificates
$ sudo rm -rf /var/lib/letsencrypt /usr/local/letsencrypt /srv/www/letsencrypt /etc/nginx/ssl/letsencrypt /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
Generate new certificates
ansible-playbook server.yml -e env=production -K --tags letsencrypt
Reboot remote machine
Start Nginx

With same results. This is the output of provision with letsencrypt tag (verbose mode):
http://pastebin.com/GRuQciSs

I don’t know if it is meaningfull, there is no etc/cron.d/letsencrypt-certificate-renewal:

$ cat /etc/cron.d/letsencrypt-certificate-renewal
cat: /etc/cron.d/letsencrypt-certificate-renewal: No such file or directory

fullyint · July 16, 2016, 3:33pm

@aitor reviewing your pasted output, I don’t see any letsencrypt tasks running. This leaves me wondering if you’re running an older version of Trellis before the letsencrypt role was added. Please confirm whether the letsencrypt role appears in these places:

/Volumes/B/Documentos/trellis2/ansible/roles (compare)
/Volumes/B/Documentos/trellis2/ansible/roles/server.yml (compare)

cfx · July 16, 2016, 3:35pm

Yes that had me scratching my head too. Thanks @fullyint.

aitor · July 16, 2016, 3:50pm

I confirm. There is no letsencrypt roles
Excuse my ignorance