Roots Discourse

SSL Privacy Error on www Redirect to non-www

Hey All,

I’ve been having a really difficult time trying to get this to work. I’ve followed the documentation and tried numerous configurations through trellis, nginx template files and DNS settings. For the life of me I can’t get the www to successfully redirect to the non-www. Currently, the issue is that it’s picking up on the non-www SSL certification and flagging it as a security risk.

For reference, the URL I am trying to fix is cg-originals.com and www.cg-originals.com

Here is my Wordpress site:

wordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
    redirects:
      - www.cg-originals.com
    www_redirect: true
    local_path: ../site
    repo: git@bitbucket.org:/luke-markey/christina-website.git
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: false
      duration: 30s
      skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml
      skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in
    env:
      wp_env: staging
      db_name: ####
      db_user: ####
      wp_home: https://cg-originals.com
      wp_siteurl: https://cg-originals.com/wp
      disable_wp_cron: true

If I tab the redirects under canonical like it shows in the docs, I get a syntax error. If I try to canonical tags, I get a LE error on provision. I’ve also tried NGINX template files for the site:

server {
    listen 80;
    listen 443 ssl;
    server_name www.cg-originals.com;
    return 301 $scheme://cg-originals.com$request_uri;
}

And no luck. Please advise! Thankyou

You should show us the error instead of talking about it :wink:

Again, what is the error? Along with what version of Trellis you’re using.

This is not necessary

www redirect to non-www is the default when the canonical and redirect params are set the way you have them setup in your config, there shouldn’t be any additional configs necessary. If you have your DNS setup properly (which it appears you do) then you need not alter anything else.

I suspect you may have provisioned your server before you setup your A Record for the www hostname.

Can you please remove your additional configs and run the LetsEncrypt task from the provision playbook again and output results here?

Also check out this and this.

1 Like

Hey Ben,

Sorry for the misinformation. Here’s the setup I tried to use as per the documentation:

ordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
      redirects:
        - www.cg-originals.com

And the subsequent error message:

The error appears to have been in '/mnt/c/src/christina-website/trellis/group_vars/production/wordpress_sites.yml': line 9, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

      - canonical: cg-originals.com
      redirects:
      ^ here

And after trying to write two canonicals like so:

wordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
      - canoncial: www.cg-originals.com

I get the error message:

Required format for `site_hosts` (group_vars/production/wordpress_sites.yml):

example.com:
  site_hosts:
    - canonical: example.com

The above is the minimum required. Multiple hosts and redirects are possible:

example.com:
  site_hosts:
    - canonical: example.com
      redirects:
        - www.example.com
        - site.com
    - canonical: example.co.uk
      redirects:
        - www.example.co.uk

And here is the base setup I’m trying:

wordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
    www_redirect: true
    local_path: ../site
    repo: git@bitbucket.org:/luke-markey/christina-website.git
    branch: master
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: false
      duration: 30s
      skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml
      skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in
    env:
      wp_env: production
      db_name: ###
      db_user: ###
      wp_home: https://cg-originals.com
      wp_siteurl: https://cg-originals.com/wp
      disable_wp_cron: true

This doesn’t through any errors on provision, but I’m still not able to get the www to work. I did provision this server without taking the www into consideration if there are issues with pre-existing configurations. I’ve currently set the A name for the www but also tried to CNAME it to the non-www on the DNS and still had issues.

Thanks for your help!

Did you read the error messages? You have some errors in your YAML syntax, I recommend you use an online linter.

http://www.yamllint.com/

I can pass syntax by adding another hyphen to the redirects line but trellis still complains that it’s not correct:

Required format for `site_hosts` (group_vars/production/wordpress_sites.yml):

example.com:
  site_hosts:
    - canonical: example.com

The above is the minimum required. Multiple hosts and redirects are possible:

example.com:
  site_hosts:
    - canonical: example.com
      redirects:
        - www.example.com
        - site.com
    - canonical: example.co.uk
      redirects:
        - www.example.co.uk

failed: [104.236.46.78] (item=cg-originals.com) => {"failed": true, "item": "cg-originals.com"}

Considering this error you received:

The offending line appears to be:

      - canonical: cg-originals.com
      redirects:
      ^ here

I think you just need to indent your redirects two more spaces. Compare with the indentation of redirects in the error message suggestion:

example.com:
  site_hosts:
    - canonical: example.com
      redirects:
        - www.example.com

This complex YAML can be confusing. Check out http://docs.ansible.com/ansible/YAMLSyntax.html

# try this
wordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
        redirects:
          - www.cg-originals.com

# conceptual representation of wordpress_sites
wordpress_sites:     <-- a dict
  example.com:       <-- a dict, an item in the wordpress_sites dict
    site_hosts:      <-- a list (because its items are preceded by dashes)
      - host_set_1   <-- a dict, an item in the site_hosts list

# conceptual representation of an item in site_hosts
host_set_1:          <-- a dict, an item in the site_hosts list
  canonical          <-- a simple variable, an item in host_set_1 dict
  redirects          <-- a list, an item in the host_set_1 dict
    - redirect_1     <-- a list item, an item in the redirects list
2 Likes

I was able to get trellis to provision alright with the adjustments you included in your response. After that, I was able to run

ansible-playbook server.yml -e env=environment --tags wordpress

and then

ansible-playbook server-yml -e env=environment --tags letsencrypt

and now I’m able to run a full provision without any errors. However, there still seems to be an invalid cert name error popping up for the www domain. Here is my configuration for reference:

wordpress_sites:
  cg-originals.com:
    site_hosts:
      - canonical: cg-originals.com
        redirects:
          - www.cg-originals.com
    www_redirect: true

Do you have any thoughts why this would happen? Thanks again for your assistance!

Congrats on the progress!

The cert shows up fine for me at https://cg-originals.com/ but not for the www version because www is not included in the cert, e.g., see

openssl s_client -connect cg-originals.com:443 2>&1 | openssl x509 -text | grep DNS

The problem is that once the cert is created, Trellis won’t adjust the domains it covers, at least not until roots/trellis#630 is merged. So, you’ll need to do the following:

3 Likes

This works ! Thank you so much for your help. I can’t believe I didn’t see the tab issue to begin with.

1 Like