Problem Provisioning SSL with Let's Encrypt

treb0r · March 10, 2022, 4:02pm

I upgraded Trellis on one of my sites today.

I decided to refresh the droplets for Staging and Production at the same time.

The staging provisioning worked first time, but when I tried to provision production, I kept getting an error that the acme challenge file was not found.

When I looked more closely, I can see that let’s encrypt is trying to load:

http://www.mysite.com/.well-known/acme-challenge/ZFCDUPM4A9VEFN7tXEWPjyHmAhM9uRzQEJTACtn1WPk

Instead of:

http://mysite.com/.well-known/acme-challenge/ZFCDUPM4A9VEFN7tXEWPjyHmAhM9uRzQEJTACtn1WPk

without the leading ‘www’.

I tried removing the ‘redirects: - www.mysite.com’ from my production wordpress_sites.yml but then I get more errors.

I’ve never run in to this problem before. Does anyone know what might be causing it?

strarsis · March 10, 2022, 5:08pm

One less known issue is an incorrect IPv6 AAAA DNS record.

Let’s Encrypt prefers IPv6 AAAA over IPv4 A DNS records.
When the IPv6 AAAA record is incorrect or the HTTP server doesn’t correctly listen on IPv6,
validation will fail, even when it is possible over IPv4.

So better have no IPv6 AAAA DNS record than an incorrect one.

swalkinshaw · March 11, 2022, 12:25am

SSL requires a certificate for each host which means mysite.com and www.mysite.com are considered different. This also means Trellis creates challenges for each one.

You didn’t post the exact error message, but I’m assuming there’s an issue with your DNS entries (as @strarsis hinted). mysite.com might be succeeding so you’re only seeing the failure for www.mysite.com.

jackyjoy123 · March 11, 2022, 8:00am

thanks for the awesome information.

treb0r · April 8, 2022, 1:56pm

Thanks Scott, and sorry I missed this before. I will give it another try.