Workflow advice on provisioning a new production server with Let's Encrypt

I’ve got a workflow question and feel like I might be missing something.

I created a new Digital Ocean (DO2) droplet to serve a site that is currently running on an existing Digital Ocean droplet (DO1).

The site uses Let’s Encrypt and the DNS zone file was pointing to DO1.

In my local trellis folder, I updated the hosts/production file with the new IP address, but when I attempt to provision this new server with my existing trellis setup, it failed on the Let’s Encrypt role. This makes sense to me since the DNS wouldn’t resolve to the new droplet, and so Let’s Encrypt has no way of reaching DO2.

What I did was temporarily change the ssl: enabled from true to false in group_vars/production/wordpress_sites.yml and attempted to re-provision the server.

This finished provisioning DO2 and I was able to deploy the code, move and import the DB.

I updated my local hosts file to point to DO2 so that I could test the site on the new server in a browser. It didn’t work initially work, so I:

  • Logged into DO2 as root
  • Removed the nginx site config at /etc/nginx/sites-enabled/
  • Restarted nginx : systemctl restart nginx.

The site came up and confident that everything was working except for SSL, I decided to

  • Update ssl: enabled: true in group_vars/production/wordpress_sites.yml
  • Update the DNS to point to DO2.
  • Re-provision DO2 using ansible-playbook server.yml -e env=production

Everything looks good, with the site running on the new server, it’s just that the site was offline for about 10 mins while the DNS propagated and I re-provisioned DO2 to generate the Let’s Encrypt certificate.

I’m not doing this type of thing too often (only this one time in the last year of roots usage) and this isn’t a high traffic site, so there wasn’t much of an issue of having the site offline for 10 mins. Ideally I would like zero down time when I need to do this with another higher traffic site.

Has anyone else run into this kind of problem, or am I missing something in my workflow?

I followed this earlier and it worked perfectly with Lets Encrypt:

Thanks @KieranEves – That is a great resource describes mostly what I’ve been doing.

My main question stems from trying to provision a production server that doesn’t have the DNS records pointing to it.

I’m not familiar enough with Let’s Encrypt to know if it’s even possible to generate the certificate before pointing the DNS to the new server, but if it could that would be awesome!

You can take the already generated SSL certificates from the first server and use those as a manual cert when initially provisioning the new server. After you’ve swapped the DNS, you can then re-provision the server with the letsencrypt provider to get the auto-renewal setup correctly


Thanks for the comment @ben – When you say “use those as manual cert” I assume you are talking about this trellis setting:

I’ll give it a try on my next migration, but for other people that might be wondering where to find the certificate files – they are located at /etc/nginx/ssl/letsencrypt

I copied them locally using rsync:

$ rsync -av ssl
receiving incremental file list
created directory ssl

sent 85 bytes  received 9,838 bytes  6,615.33 bytes/sec
total size is 9,550  speedup is 0.96

Thanks again for nicely telling me to read the manual!


Is there anyway to provision the server already with the correct canonical domain? I have a live url of a redirect of and a second canonical domain of so that I can confirm everything is working before switching the server. The problem is that the letsecrypt challenge of course fails for as it’s currently at another host and has another IP.

Is there anyway to get the cert setup so that we only need to switch DNS, or do we need to switch DNS and then re-provision?

The Let’s Encrypt SSL provider in Trellis requires valid DNS for validation to work. You can use a self-signed certificate, or a manual one (or even a manual Let’s Encrypt cert) before DNS is in place if you want to have SSL enabled