Roots Discourse

Trouble Re-provisioning Live Production Server - non-zero return code during Letsencrypt task

letsencrypt
ansible

#1

Hey yall,

Just recently moved our production server from an ubuntu 16 to a new ubuntu 18 server and was able to successfully provision and deploy our multisite subdomain wordpress install with about 43 live sites. Was then able to add another subdomain to group_vars/production/wordpress_sites.yml and re-provision to add the subdomain to the cert about a week ago.

But for the past couple days, I cannot get the production server to reprovision. Either I get a weird [ERROR! Timeout (12s) waiting for privilege escalation prompt, or mostly this error (showing “mydomain.com” instead of my actual domain):

TASK [letsencrypt : Generate the certificates] **************************************************
System info:
Ansible 2.7.5; Darwin
Trellis 1.0.1: January 16th, 2019

non-zero return code
fatal: [mydomain.com]: FAILED! => {“changed”: false, “cmd”: ["./renew-certs.py"], “delta”: “0:00:15.841913”, “end”: “2019-02-08 02:52:31.515241”, “rc”: 1, “start”: “2019-02-08 02:52:15.673328”, “stderr”: “”, “stderr_lines”: [], “stdout”: “Generating certificate for mydomain.com\nError while generating certificate for mydomain.com\nTraceback (most recent call last):\n File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in \n main(sys.argv[1:])\n File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n File “/usr/local/letsencrypt/acme_tiny.py”, line 140, in get_crt\n e.code, json.loads(e.read().decode(‘utf8’))))\nAttributeError: ‘URLError’ object has no attribute ‘code’”, “stdout_lines”: [“Generating certificate for mydomain.com”, “Error while generating certificate for mydomain.com”, “Traceback (most recent call last):”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in “, " main(sys.argv[1:])”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", " File “/usr/local/letsencrypt/acme_tiny.py”, line 140, in get_crt", " e.code, json.loads(e.read().decode(‘utf8’))))", “AttributeError: ‘URLError’ object has no attribute ‘code’”]}

some of my settings in wordpress_sites.yml:

multisite:
  enabled: true
  subdomains: true
ssl:
  enabled: true
  provider: letsencrypt
  hsts_max_age: 31536000
  hsts_include_subdomains: true
  hsts_preload: true

I’ve tried to be sure I’m using the latest version of trellis and even upgraded ansible to 2.7.5. Running this from a macOs 10.14.2.


#2

Try provisioning with the -vvv flag and it should provide a lot more debug info regarding what’s going on.

Im not 100% sure but maybe your new domain needs to be pointed at the server before it can generate the certificate. Is it currently pointing to it?


#3

I had a similar issue and then had success adding to ansible.cfg to defaults:

timeout = 30


#4

Im not 100% sure but maybe your new domain needs to be pointed at the server before it can generate the certificate. Is it currently pointing to it?

Yes, all domains and subdomains in wordpress_sites.yml are pinging the correct IP address.


#5

Added timeout = 30 to ansible.cfg defaults, to no avail. :frowning: also tried timeout = 300
Also tried adding transport = paramiko per this thread, but still get the same error.

Here’s the error with -vvv:

TASK [letsencrypt : Generate the certificates] 
**************************************************
task path: /Users/myuser/mysite.com/trellis/roles/letsencrypt/tasks/certificates.yml:41
Using module file /Library/Python/2.7/site-packages/ansible/modules/commands/command.py
<mysite.com> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<mysite.com> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=30 -o ControlPath=/Users/myuser/.ansible/cp/b3b1347f6f mysite.com '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=mtehqtehnoxazgzfxgbabpmxehswgraq] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mtehqtehnoxazgzfxgbabpmxehswgraq; python3'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<mysite.com> (1, '\n{"msg": "non-zero return code", "cmd": ["./renew-certs.py"], "stdout": "Generating certificate for mysite.com\\nError while generating certificate for mysite.com\\nTraceback (most recent call last):\\n  File \\"/usr/local/letsencrypt/acme_tiny.py\\", line 198, in <module>\\n    main(sys.argv[1:])\\n  File \\"/usr/local/letsencrypt/acme_tiny.py\\", line 194, in main\\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\\n  File \\"/usr/local/letsencrypt/acme_tiny.py\\", line 140, in get_crt\\n    e.code, json.loads(e.read().decode(\'utf8\'))))\\nAttributeError: \'URLError\' object has no attribute \'code\'", "stderr": "", "rc": 1, "start": "2019-02-08 21:49:32.638529", "end": "2019-02-08 21:49:43.754506", "delta": "0:00:11.115977", "changed": true, "failed": true, "invocation": {"module_args": {"chdir": "/var/lib/letsencrypt", "_raw_params": "./renew-certs.py", "warn": true, "_uses_shell": false, "argv": null, "executable": null, "creates": null, "removes": null, "stdin": null}}}\n', '')
System info:
  Ansible 2.7.5; Darwin
  Trellis 1.0.1: January 16th, 2019
---------------------------------------------------
non-zero return code
fatal: [mysite.com]: FAILED! => {
    "changed": false,
    "cmd": [
        "./renew-certs.py"
    ],
    "delta": "0:00:11.115977",
    "end": "2019-02-08 21:49:43.754506",
    "invocation": {
        "module_args": {
            "_raw_params": "./renew-certs.py",
            "_uses_shell": false,
            "argv": null,
            "chdir": "/var/lib/letsencrypt",
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "warn": true
        }
    },
    "rc": 1,
    "start": "2019-02-08 21:49:32.638529",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "Generating certificate for mysite.com\nError while generating certificate for mysite.com\nTraceback (most recent call last):\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n    main(sys.argv[1:])\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n  File \"/usr/local/letsencrypt/acme_tiny.py\", line 140, in get_crt\n    e.code, json.loads(e.read().decode('utf8'))))\nAttributeError: 'URLError' object has no attribute 'code'",
    "stdout_lines": [
        "Generating certificate for mysite.com",
        "Error while generating certificate for mysite.com",
        "Traceback (most recent call last):",
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>",
        "    main(sys.argv[1:])",
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main",
        "    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)",
        "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 140, in get_crt",
        "    e.code, json.loads(e.read().decode('utf8'))))",
        "AttributeError: 'URLError' object has no attribute 'code'"
    ]
}