Problem with letsencrypt: Generate the initial certificate

So I set up SSL on my staging server via Let’s Encrypt, in order to make sure that it works prior to attempting on production.

When I go to run the server.yml playbook for production, I get the following error:

TASK [letsencrypt : Generate the initial certificate] **************************
task path: /www/teamrubicon/trusa.org/trellis/roles/letsencrypt/tasks/certificates.yml:26
System info:
  Ansible 2.0.2.0; Darwin
  Trellis at "Add `vault_users` for easier password management"
---------------------------------------------------
fatal: [138.197.60.5]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:00.893103", "end": "2016-08-08 18:55:15.582461", "failed": true, "rc": 1, "start": "2016-08-08 18:55:14.689358", "stderr": "", "stdout": "Generating certificate for teamrubiconusa.org\nError while generating certificate for teamrubiconusa.org\nParsing account key...\nParsing CSR...\nRegistering account...\nAlready registered!\nVerifying teamrubiconusa.org...\nTraceback (most recent call last):\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n    main(sys.argv[1:])\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 123, in get_crt\n    wellknown_path, wellknown_url))\nValueError: Wrote file to /srv/www/letsencrypt/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU, but couldn't download http://teamrubiconusa.org/.well-known/acme-challenge/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU", "stdout_lines": ["Generating certificate for teamrubiconusa.org", "Error while generating certificate for teamrubiconusa.org", "Parsing account key...", "Parsing CSR...", "Registering account...", "Already registered!", "Verifying teamrubiconusa.org...", "Traceback (most recent call last):", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", "    main(sys.argv[1:])", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", "    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 123, in get_crt", "    wellknown_path, wellknown_url))", "ValueError: Wrote file to /srv/www/letsencrypt/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU, but couldn't download http://teamrubiconusa.org/.well-known/acme-challenge/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU"], "warnings": []}

cmd: ./renew-certs.py

start: 2016-08-08 18:55:14.689358

end: 2016-08-08 18:55:15.582461

delta: 0:00:00.893103

stdout: Generating certificate for teamrubiconusa.org
Error while generating certificate for teamrubiconusa.org
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying teamrubiconusa.org...
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /srv/www/letsencrypt/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU, but couldn't download http://teamrubiconusa.org/.well-known/acme-challenge/P3DW-E1WmMKL07i6GFapVVS-xGt9otO1riOyRErBnGU

My guess is that since the site key for staging is the same as production, it sees that an account has been already registered, and then attempts to download it from the key url (teamrubiconusa.org) used for both staging and production, and fails since the key is actually at staging.teamrubiconusa.org.

How can I get Let’s Encrypt working on production?

I’ve pulled & merged Trellis to commit db0c068de7197c14132a42ab398c4c9b3cf9fcb3, and staging and production are on separate DO droplets.

Appreciate the help in advance!

You need to point www.teamrubiconusa.org to the same IP as teamrubiconusa.org. Make sure they both ping to the correct IP then try again.

They both resolve to the same IP; here’s production/wordpress_sites.yml:

wordpress_sites:
  teamrubiconusa.org:
    site_hosts:
      - canonical: teamrubiconusa.org
        redirects:
          - www.teamrubiconusa.org
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    repo: git@github.com:teamrubiconusa/site.git
    repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: true
      duration: 180s
      skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml
      skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in
    env:
      ACF_PRO_KEY: "{{ ACF_PRO_KEY }}"
      wp_home: https://teamrubiconusa.org
      wp_siteurl: https://teamrubiconusa.org/wp

I’m getting a different IP than expected, probably due to CloudFlare, but I’m going to try again with the server’s IP instead of the floating IP (a la Digital Ocean) in hosts/production and see what happens…