SSL / Lets Encrypt not autoupdating / multiple trellis instances

josialoos · November 12, 2020, 9:09am

Hi,
I have this problem where Lets Encrypt will not autoupdate properly.

I think the problem might be that I am deploying multiple projects on the same droplet. Every project has its own trellis-instance, site- and trellis-folder are in the same github repo. I think I remember @ben mentioning in an other threat, that this is not the way trellis was meant to be used?

From looking at the cronjob files, I had the idea that maybe every time I provision from a new trellis instance/project, this project will overwrite the cronjob-files and only the cronjobs of the last provisioned project will work, the others will not be triggered anymore.

Am I right with this and what would be a good way to fix this? Maybe have only one trellis-folder in an own github-repo and multiple site-folders in seperate github-repos?
As I’m hosting a lot of very small sites it would be unnecessarily expensive to deploy each on an own droplet, so I would like to avoid that if possible.

My fix at the moment is uptime-monitoring and manually reprovisioning - which obviously is a sh**y solution.

cheers
Josia

swalkinshaw · November 13, 2020, 4:52pm

I believe that might be correct. The Lets Encrypt cron job simply runs the generated ./renew-certs.py script. But that script file is “global” since it’s only generated once per project to the same file path meaning it should overwrite any existing ones.

Is this the only problem you’ve run into with this multi-trellis setup on a single server?

josialoos · November 13, 2020, 5:13pm

First of all thanks for your reply!

And yes I‘m running this setup since over a year and its working great except this one aspect - can‘t say for sure tho there arent any other problems I haven‘t noticed yet.

Any ideas how I could change adapt the lets encrypt regeneration process in order to make it work?

swalkinshaw · November 14, 2020, 6:12pm

I think the only option is getting Trellis to generate separate renew-certs.py scripts per project. This means two things:

they’d need to exist at a different path (subfolder or unique part of file name)
the cron task would need to be updated to reference the per-project paths

So you’d need to include some sort of identifier in the dest name here:

github.com

roots/trellis/blob/b6d6ee744ab4469c72ef8878efe7f3987b7d58de/roles/letsencrypt/tasks/certificates.yml#L38-L43


      
          - name: Generate certificate renewal script
            template:
              src: renew-certs.py
              dest: "{{ acme_tiny_data_directory }}/renew-certs.py"
              mode: 0700
            tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes]

Then you’d have to use the same identifier/path in:
https://github.com/roots/trellis/blob/b6d6ee744ab4469c72ef8878efe7f3987b7d58de/roles/letsencrypt/tasks/main.yml#L6-L15

My best guess for a suitable identifier would be using the wordpress site name. I’m guessing you only have 1 per project? So you could use {{ wordpress_sites.keys() | first }}:

- name: Generate certificate renewal script
    template:
      src: renew-certs.py
      dest: "{{ acme_tiny_data_directory }}/renew-certs-{{ wordpress_sites.keys() | first }}.py"
      mode: 0700
    tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes]

and

- name: Install cronjob for key generation
  cron:
    cron_file: letsencrypt-certificate-renewal
    name: letsencrypt certificate renewal
    user: root
    job: cd {{ acme_tiny_data_directory }} && ./renew-certs-{{ wordpress_sites.keys() | first }}.py ; /usr/sbin/service nginx reload
    day: "{{ letsencrypt_cronjob_daysofmonth }}"
    hour: "4"
    minute: "30"
    state: present

No guarantees, but you can try that.

josialoos · November 16, 2020, 8:52am

wow thanks man, I will try that asap and let you know if it worked!

system · December 24, 2020, 9:09am

This topic was automatically closed after 42 days. New replies are no longer allowed.