Production upgrade exiting site to Trellis + SSL help

Moving an existing Wordpress site to Trellis + Bedrock [modifying current theme without migrating to Sage yet], how can i get a Let’s Encrypt certificate with minimal down time?

While staging environment got its own DNS records, the production server will use the topmost zone, so Ansible reports an error while generating the certificate. Even if a create a record for the new site, the DNS record matching the canonical name must point to the server running letsencrypt script…

TASK [letsencrypt : Generate the initial certificate] **************************
System info:
  Ansible; Linux
  Trellis at "Enable per-site setup for permalink structure"
fatal: [1IP_ADDRESS]: FAILED! => {"changed": false, "cmd": ["./"], "delta": "0:00:01.280733", "end": "2016-11-10 11:37:53.120531", "failed": true, "rc": 1, "start": "2016-11-10 11:37:51.839798", "stderr": "", "stdout": "Generating certificate for 

Since this domain is used by the online site, i cannot change the A record to point to the new provisioned server before the deploy is finished properly.

How do you approach this?

Is your current production site on HTTPS?

If yes: then I assume it’s not LE and a manual cert, so you could use that for now.
If no: then provision new server without SSL on and then enable it once you’ve migrated servers/DNS.

Would that work?

1 Like

LE seems to pick up DNS changed pretty quickly, I usually set a local hosts entry, change DNS to point to my droplet, and just keep retrying the provisioning about once per minute. I usually get it to go on the the third or fourth try.

Then as long as you’re quick on the draw: provision, deploy, ssh to import database, upload Uploads.

Chances are you’ll catch it before most of the Internet even gets the updated DNS.

My way is probably reckless but I’ve had difficulty reprovisioning with SSL after first provisioning without. So it works for me.

@MWDelaney That approach came to mind, but the reason i am now using Roots is to make myself do the whole dev process a bit more organized . Its good to know LE is quick on the DNS tho. thnx

@swalkinshaw Currently the site accepts both https and http. Not forcing either. So yeah i have a cert. I guess i can copy it over, you’re right.
Later would i just change the manual to LE and redeploy ?

Later would i just change the manual to LE and redeploy ?


Yep, that’s what I’m thinking. You can do the manual method as described here:

  • I’m not 100% confident that method would work seamlessly (switching SSL “providers”). Hopefully it would, but might require a bit of manual intervention.
  • Trellis forces HTTPS by default and there’s no built-in way to disable that without manually editing Nginx templates.

@MWDelaney Im only getting the hang of which task goes in deploy / provision . its a bit confusing.

@swalkinshaw Trellis only forces HTTPS if you set it so… i could set SSL: false in i wanted to… wrong?
That first manual step went fine. im about to do the dns switch soon. Coincidentally, my Comodo cert is about to expire, so nice timing… What can i expect to go wrong when i do the switch ?

Sure you can set that… but Trellis won’t do anything to configure SSL for you. Depends how much you want to do manually or not.

I don’t really expect anything to be honest. I just can’t remember doing much testing of switching between SSL providers. But if it’s off, then you turn it on with LE then should be fine.

short update:

Switching didnt really go well, or at all. Running the acme-challange failed, although the ping.txt file was created, and nginx was listening for it. DNS and hostname were set correctly.
I suspect it had something to do with the fact a certificate was already registered for the staging server /with/ the root domain as an second alias - so letsencrypt playbook didnt try to create a new one… or, smth else.

I’ll wait a couple of weeks before trying again.