SSL problems on www subdomain

trellis
,
1

I’ve successfully deployed a site (alexbracken.co) onto a DigitalOcean droplet, but I’m having some difficulties getting the www subdomain to work correctly. It’s currently giving me a ERR_SSL_UNRECOGNIZED_NAME_ALERT error.

I used Trellis to create and deploy to a DigitalOcean droplet, and am trying to refrain from poking around the production environment too much so Trellis and Ansible can do their thing. It seems like Trellis should be catching the www.alexbracken.co in the redirects section and adding it to the SSL certificate, but something is not happening in this process.

I’m adding the nginx log below, and I’m happy to provide any other information that could be helpful. ChatGPT seems to think there is something going on with my IPv6 configuration, but again, I’m using Trellis with pretty minimal intervention by myself, so I’m not sure exactly what is going on there.

Nginx log 
2024/07/25 06:30:15 [crit] 174614#174614: connect() failed (101: Network is unreachable) while resolving, resolver: [2606:4700:4700::1001]:53
2024/07/25 07:37:04 [error] 174614#174614: *29344 "/etc/nginx/html/index.html" is not found (2: No such file or directory), client: 167.94.138.55, server: , request: "GET / HTTP/1.1", host: "143.198.164.61:443"
2024/07/25 10:42:55 [crit] 174614#174614: connect() failed (101: Network is unreachable) while resolving, resolver: [2001:4860:4860::8888]:53
2024/07/25 10:42:55 [crit] 174614#174614: connect() failed (101: Network is unreachable) while resolving, resolver: [2001:4860:4860::8844]:53
2024/07/25 10:42:57 [error] 174614#174614: r10.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r10.o.lencr.org, certificate: "/etc/nginx/ssl/letsencrypt/alexbracken.test-bundled.cert"
2024/07/25 11:15:20 [crit] 174614#174614: connect() failed (101: Network is unreachable) while resolving, resolver: [2001:4860:4860::8844]:53
2024/07/25 14:59:20 [warn] 240390#240390: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 14:59:20 [warn] 240390#240390: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 14:59:20 [warn] 240390#240390: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 14:59:20 [warn] 240390#240390: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:03:13 [warn] 240892#240892: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:03:13 [warn] 240892#240892: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:04:15 [warn] 241350#241350: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:04:15 [warn] 241350#241350: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:04:15 [warn] 241350#241350: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:04:15 [warn] 241350#241350: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:04:16 [warn] 240901#240901: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:04:16 [warn] 240901#240901: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:04:16 [warn] 240901#240901: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:04:16 [warn] 240901#240901: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:20:39 [warn] 246864#246864: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:20:39 [warn] 246864#246864: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:20:39 [warn] 246864#246864: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:20:39 [warn] 246864#246864: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:20:39 [warn] 240901#240901: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:20:39 [warn] 240901#240901: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:20:39 [warn] 240901#240901: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:20:39 [warn] 240901#240901: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:35:25 [warn] 250937#250937: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:35:25 [warn] 250937#250937: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:35:25 [warn] 250937#250937: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:35:25 [warn] 250937#250937: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:39:35 [warn] 255490#255490: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:39:35 [warn] 255490#255490: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:39:35 [warn] 255490#255490: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:39:35 [warn] 255490#255490: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:39:35 [warn] 250948#250948: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:39:35 [warn] 250948#250948: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:39:35 [warn] 250948#250948: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:39:35 [warn] 250948#250948: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:42:34 [warn] 256235#256235: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:42:34 [warn] 256235#256235: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:42:34 [warn] 256235#256235: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:42:34 [warn] 256235#256235: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2024/07/25 15:42:35 [warn] 250948#250948: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:5
2024/07/25 15:42:35 [warn] 250948#250948: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/alexbracken.test.conf:6
2024/07/25 15:42:35 [warn] 250948#250948: protocol options redefined for [::]:443 in /etc/nginx/sites-enabled/no-default.conf:17
2024/07/25 15:42:35 [warn] 250948#250948: protocol options redefined for 0.0.0.0:443 in /etc/nginx/sites-enabled/no-default.conf:18
2

Can you share the contents of group_vars/production/wordpress_sites.yml?

Have you re-provisioned the remote server after making any changes to the file above or any other parts of your Trellis install?

3

Sure, I’ve included that below.

I’ve re-provisioned the production server several times, including the sequence described In the Troubleshooting SSL section of the docs (hoping to force the certificate to be regenerated).

wordpress_sites:
  alexbracken.test:
    site_hosts:
    - canonical: alexbracken.co
    redirects:
    - www.alexbracken.co
    local_path: ../site
    branch: prod
    repo: git@github.com:alexbracken/alexbracken.co.git
    repo_subtree_path: site
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
      hsts_include_subdomains: true
      
    cache:
      enabled: false
4

One common pitfall I encountered in the past is that Let’s Encrypt ACME (Domain 01) validation uses an IPv6 (AAAA) DNS record over an IPv4 (A) DNS record. So either have a valid IPv6 (AAAA) DNS record or none at all.

It may well be that the www-Subdomain has, in addition to an IPv4 (A) DNS record an IPv6 record (AAAA) which is either outdated or invalid, or the web server not listening on that IPv6 address/not supporting IPv6.

1 Like
5

I looked on my DigitalOcean droplet and IPv6 is disabled and there’s no AAAA records. The output of the dig command on the main domain and www subdomain is below.

I guess I’m not sure whether to turn IPv6 on or off. It’s off now, and it seems like that is the way it is intended to be.

dig AAAA alexbracken.co 
; <<>> DiG 9.10.6 <<>> AAAA alexbracken.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50569
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;alexbracken.co.			IN	AAAA

;; AUTHORITY SECTION:
alexbracken.co.		1800	IN	SOA	ns1.digitalocean.com. hostmaster.alexbracken.co. 1720365384 10800 3600 604800 1800

;; Query time: 44 msec
;; SERVER: 206.225.75.225#53(206.225.75.225)
;; WHEN: Fri Jul 26 09:24:22 EDT 2024
;; MSG SIZE  rcvd: 110
dig AAAA www.alexbracken.co 
; <<>> DiG 9.10.6 <<>> AAAA www.alexbracken.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52655
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;www.alexbracken.co.		IN	AAAA

;; AUTHORITY SECTION:
alexbracken.co.		1800	IN	SOA	ns1.digitalocean.com. hostmaster.alexbracken.co. 1720365384 10800 3600 604800 1800

;; Query time: 74 msec
;; SERVER: 206.225.75.225#53(206.225.75.225)
;; WHEN: Fri Jul 26 09:22:13 EDT 2024
;; MSG SIZE  rcvd: 114
6

Sorry to bump this. I did some more troubleshooting today and still haven’t gotten any further. I don’t really need the “www” subdomain to remain publicly accessible, so if there’s a way to just have it redirect to the main domain without worrying about SSL on the subdomain I would prefer that.

7

Can your workstation, that applies the ansible playbook / invokes Trellis CLI,
resolve the host with www subdomain? Because the challenge file test is actually performed on the workstation, not on the server!
Do you have any debugging configuration left on the workstation, e.g. hosts file or router appliance custom DNS records?

Also see this related discussion (and solution):

1 Like