Roots Discourse

SSL / Lets Encrypt not autoupdating / multiple trellis instances

Hi,
I have this problem where Lets Encrypt will not autoupdate properly.

I think the problem might be that I am deploying multiple projects on the same droplet. Every project has its own trellis-instance, site- and trellis-folder are in the same github repo. I think I remember @benword mentioning in an other threat, that this is not the way trellis was meant to be used?

From looking at the cronjob files, I had the idea that maybe every time I provision from a new trellis instance/project, this project will overwrite the cronjob-files and only the cronjobs of the last provisioned project will work, the others will not be triggered anymore.

Am I right with this and what would be a good way to fix this? Maybe have only one trellis-folder in an own github-repo and multiple site-folders in seperate github-repos?
As I’m hosting a lot of very small sites it would be unnecessarily expensive to deploy each on an own droplet, so I would like to avoid that if possible.

My fix at the moment is uptime-monitoring and manually reprovisioning - which obviously is a sh**y solution.

cheers
Josia

:thinking: I believe that might be correct. The Lets Encrypt cron job simply runs the generated ./renew-certs.py script. But that script file is “global” since it’s only generated once per project to the same file path meaning it should overwrite any existing ones.

Is this the only problem you’ve run into with this multi-trellis setup on a single server?

1 Like

First of all thanks for your reply!

And yes I‘m running this setup since over a year and its working great except this one aspect - can‘t say for sure tho there arent any other problems I haven‘t noticed yet.

Any ideas how I could change adapt the lets encrypt regeneration process in order to make it work?

I think the only option is getting Trellis to generate separate renew-certs.py scripts per project. This means two things:

  1. they’d need to exist at a different path (subfolder or unique part of file name)
  2. the cron task would need to be updated to reference the per-project paths

So you’d need to include some sort of identifier in the dest name here:

Then you’d have to use the same identifier/path in:

My best guess for a suitable identifier would be using the wordpress site name. I’m guessing you only have 1 per project? So you could use {{ wordpress_sites.keys() | first }}:

- name: Generate certificate renewal script
    template:
      src: renew-certs.py
      dest: "{{ acme_tiny_data_directory }}/renew-certs-{{ wordpress_sites.keys() | first }}.py"
      mode: 0700
    tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes]

and

- name: Install cronjob for key generation
  cron:
    cron_file: letsencrypt-certificate-renewal
    name: letsencrypt certificate renewal
    user: root
    job: cd {{ acme_tiny_data_directory }} && ./renew-certs-{{ wordpress_sites.keys() | first }}.py ; /usr/sbin/service nginx reload
    day: "{{ letsencrypt_cronjob_daysofmonth }}"
    hour: "4"
    minute: "30"
    state: present

No guarantees, but you can try that.

wow thanks man, I will try that asap and let you know if it worked!