Cannot Setup SSL - Invalid Response to Acme Challenge (404)

I am working on getting a Ghost site setup. I originally installed it with just HTTP as I was going to use Cloudflare Zero Trust, but several core functions like site password protection and seeing any design previews apparently don’t work in HTTP mode and it’s never been fixed so I decided to go through Ghost’s SSL setup procedure. Ports 80 and 443 are forwarded and reachable from the outside world and my IP address is correct. I can access both my site (currently password protected) and my admin page on port 80. I use Cloudflare for my DNS, but the records are not proxied.

Every time I try to run ghost ssl setup, it fails saying it gets a 404 error for the challenge response. This is the log:

Debug Information:
OS: Ubuntu, v24.04.2 LTS
Node Version: v22.17.0
Ghost Version: 5.127.0
Ghost-CLI Version: 1.27.0
Environment: production
Command: ‘ghost setup ssl’
Message: Command failed: /bin/sh -c sudo -S -p ‘#node-sudo-passwd#’ /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --server letsencrypt --domain geekbravado.com --webroot /var/www/geekbravado/system/nginx-root --reloadcmd “nginx -s reload” --accountemail --keylength 2048
[Mon Jun 30 05:09:04 AM UTC 2025] geekbravado.com: Invalid status. Verification error details: 174.138.196.141: Invalid response from http://geekbravado.com/.well-known/acme-challenge/TqqcZGNaBmm_jGiRxnqgRTz4ZSfcr2YRmuoyg6sWhGI: 404
[Mon Jun 30 05:09:04 AM UTC 2025] Please add ‘–debug’ or ‘–log’ to see more information.
[Mon Jun 30 05:09:04 AM UTC 2025] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

[Mon Jun 30 05:09:00 AM UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Jun 30 05:09:00 AM UTC 2025] Single domain=‘geekbravado.com
[Mon Jun 30 05:09:02 AM UTC 2025] Getting webroot for domain=‘geekbravado.com
[Mon Jun 30 05:09:02 AM UTC 2025] Verifying: geekbravado.com
[Mon Jun 30 05:09:02 AM UTC 2025] Pending. The CA is processing your order, please wait. (1/30)

Exit code: 1

I’ve seen several other threads discussing this issue, but none of the suggestions provided within them have worked. I don’t know what’s failing or where here, but I’m at a loss. Does anyone have an idea what might be up?

Thanks all.

Ended up doing a backup (had to hack my config to disable MFA because ghost backup is currently broken with MFA which is enforced by default and the devs didn’t notice) and a complete nuke and pave of nginx, mysql and Ghost. This fixed the issue and the SSL setup completed during the installation. Imported my WIP site back in and all’s well now. Why did this work? No idea. Hopefully this is the last issue I have.

1 Like

It looks like the SSL setup is failing because Let’s Encrypt is unable to access the challenge file on your server. The 404 error suggests that the file needed for the verification process isn’t being served correctly.

Here are a few things you can check:

  1. Check Nginx Configuration: Since you’re using Nginx, ensure that the server is properly configured to serve files in the .well-known/acme-challenge/ directory. You might need to add a specific location block in your Nginx config to allow access to that path. Here’s an example:

nginx

location /.well-known/acme-challenge/ {
    root /var/www/geekbravado/system/nginx-root;
    try_files $uri =404;
}

After adding this, reload Nginx with:

bash

sudo nginx -s reload
  1. Cloudflare Settings: Since you’re using Cloudflare for DNS, make sure the DNS records for your domain are not proxied (the cloud icon should be grey and not orange) for the SSL setup process. Proxied records can interfere with Let’s Encrypt’s validation.

  2. Firewall and Port Configuration: Double-check that ports 80 and 443 are accessible from outside the network. You mentioned that they are forwarded, but it’s worth confirming that there’s no firewall blocking these ports.

  3. Temporary Disable Cloudflare Proxy: Temporarily disable Cloudflare’s proxying by making sure the DNS records are set to DNS-only (grey cloud). Let’s Encrypt needs to access the site directly to verify the challenge, and Cloudflare’s proxy might block the validation request.

  4. Ensure Proper Permissions: Make sure that the user running the ghost command has proper permissions to write to the webroot directory (/var/www/geekbravado/system/nginx-root).

After these changes, retry the SSL setup command. If the issue persists, adding the --debug flag to the command might provide additional logs that can help pinpoint the problem.

Let me know if you need further clarification or help!

Hi Samson.

I ended up just getting frustrated and reinstalling, which sorted the issue, but I will look at your suggestions and compare it to my old configuration files (I still have them) and see if I can find what went wrong.

Appreciate the help. :slightly_smiling_face:

You are welcome. Happy to help.