Roots Discourse

Staging Provision Issues

I have a setup that hosts multiple websites. It does not use multisite but they are all separate installs on the same server. Everything has been working fine but I just went to add a new website and provision the staging server and cannot get past the SSL generation. I turn the ssl off for the one website but everything breaks once the code has been deployed and I try to run the wordpress install. Everything locally is working as expected. I appreciate any help.

Ansible: 2.7.5
Node: 10.16.3

Here is the error that is currently showing. Please let me know if you need any additional info.

System info:
  Ansible 2.7.5; Darwin
  Trellis version (per changelog): "Update wp-cli to 2.0.1"
---------------------------------------------------
non-zero return code
fatal: [104.248.218.91]: FAILED! => {
    "changed": false, 
    "cmd": [
        "./renew-certs.py"
    ], 
    "delta": "0:00:00.976674", 
    "end": "2020-07-15 17:17:49.992593", 
    "invocation": {
        "module_args": {
            "_raw_params": "./renew-certs.py", 
            "_uses_shell": false, 
            "argv": null, 
            "chdir": "/var/lib/letsencrypt", 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "warn": true
        }
    }, 
    "rc": 1, 
    "start": "2020-07-15 17:17:49.015919", 
    "stderr": "", 
    "stderr_lines": [], 
    "stdout": "Certificate file /etc/nginx/ssl/letsencrypt/rustinconcrete.com-3c49826.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/conagg-mo.com-745cf75.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/greenamericarecycling.com-4a57f48.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/nrhamm.com-bc62510.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/continentalcementmulti.com-364790b.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/americanmaterialsco.com-89bcd7e.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/razorbackconcrete.com-5a58987.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nGenerating certificate for midwest.com\nError while generating certificate for midwest.com\nTraceback (most recent call last):\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n    main(sys.argv[1:])\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 104, in get_crt\n    raise ValueError(\"Error requesting challenges: {0} {1}\".format(code, result))\nValueError: Error requesting challenges: 403 {\n  \"type\": \"urn:acme:error:unauthorized\",\n  \"detail\": \"Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)\",\n  \"status\": 403\n}\n\nCertificate file /etc/nginx/ssl/letsencrypt/georgiastoneproducts.com-85984a8.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/rdje.com-079311b.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.\n\nCertificate file /etc/nginx/ssl/letsencrypt/mainlandcmmulti.com-17a3218.cert already exists\n  The certificate is younger than 60 days. Not creating a new certificate.", 
    "stdout_lines": [
        "Certificate file /etc/nginx/ssl/letsencrypt/rustinconcrete.com-3c49826.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/conagg-mo.com-745cf75.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/greenamericarecycling.com-4a57f48.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/nrhamm.com-bc62510.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/continentalcementmulti.com-364790b.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/americanmaterialsco.com-89bcd7e.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/razorbackconcrete.com-5a58987.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Generating certificate for midwest.com", 
        "Error while generating certificate for midwest.com", 
        "Traceback (most recent call last):", 
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", 
        "    main(sys.argv[1:])", 
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", 
        "    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", 
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 104, in get_crt", 
        "    raise ValueError(\"Error requesting challenges: {0} {1}\".format(code, result))", 
        "ValueError: Error requesting challenges: 403 {", 
        "  \"type\": \"urn:acme:error:unauthorized\",", 
        "  \"detail\": \"Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)\",", 
        "  \"status\": 403", 
        "}", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/georgiastoneproducts.com-85984a8.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/rdje.com-079311b.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate.", 
        "", 
        "Certificate file /etc/nginx/ssl/letsencrypt/mainlandcmmulti.com-17a3218.cert already exists", 
        "  The certificate is younger than 60 days. Not creating a new certificate."
    ]
}

RUNNING HANDLER [common : disable temporary challenge sites] ***********************************************************************************************************************************************
task path: /Users/mikewalcott/Sites/summitopco/trellis/roles/common/tasks/disable_challenge_sites.yml:2
Using module file /Library/Python/2.7/site-packages/ansible/modules/files/file.py
<104.248.218.91> ESTABLISH SSH CONNECTION FOR USER: admin
<104.248.218.91> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/mikewalcott/.ansible/cp/1ca9331dd4 104.248.218.91 '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=cfkfuukkelplcvdbygrrhnpfgafydwpr] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-cfkfuukkelplcvdbygrrhnpfgafydwpr; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<104.248.218.91> (0, '\n{"invocation": {"module_args": {"directory_mode": null, "force": false, "remote_src": null, "_original_basename": null, "path": "/etc/nginx/sites-enabled/letsencrypt-rustinconcrete.com.conf", "owner": null, "follow": true, "group": null, "unsafe_writes": null, "state": "absent", "content": null, "serole": null, "selevel": null, "setype": null, "access_time": null, "access_time_format": "%Y%m%d%H%M.%S", "modification_time": null, "regexp": null, "src": null, "seuser": null, "recurse": false, "_diff_peek": null, "delimiter": null, "mode": null, "modification_time_format": "%Y%m%d%H%M.%S", "attributes": null, "backup": null}}, "path": "/etc/nginx/sites-enabled/letsencrypt-rustinconcrete.com.conf", "state": "absent", "changed": false}\n', '')

This seems to be the underlying error:

ACME v1 API is now phased out in favour of ACME v2 API. Only existing domains can still be renewed over the v1 API, so legacy systems that use LE certificates don’t break.

Are you using an outdated version of Trellis?

1 Like

Yes this is an older version. I have over 10 sites on this install and havent found a simple way to update it. Is there any way to make this version work or do I need to update it?

Well, you are trying to register new domains with LE using the old ACME v1 API, which isn’t possible anymore. While you could try to update just the ACME related part in Trellis, I think you should update your whole Trellis setup and test an update (reprovision) on a staging server. When everything went well and the sites are still available on staging, it should also work on production.

For my part, I cloned the Trellis repository and added all modifications/adjustments to it on a separate branch. Then I can pull in and merge new changes from time to time.
In you case you could just put your whole Trellis code into Version control (git) and then overwrite it with the latest Trellis files - or clone the Trellis repository, create a new branch and put your changed files on top of it and resolve all conflicts.
Always test on a staging system that already has been provisioned with your old Trellis setup, so you can verify the updates all work correctly!

1 Like

@strarsis’s replies are great, but it is quite simple to just apply a patch and fix this issue:

Note that we’ve had a sticking post about this since October: Trellis and Lets Encrypt v1 end of life

1 Like

@strarsis and @swalkinshaw - Thank you for the help. I just got the patch applied and everything is working as expected now.