Ghost Install Error - Failed Setting Up SSL: Failed to restart Nginx

  • What’s your URL? It’s not live but
  • What version of Ghost are you using? 5.53.1
  • How was Ghost installed and configured? DigitalOcean 1 click install
  • What Node version, database, OS & browser are you using? npm 8.15.0, node 16.17.0, Mac, Chrom
  • What errors or information do you see in the console?
    The issue I’m having is that during the Ghost 1 click install it always fails when it gets to the SSL set up with the following.
✖ Setting up SSL
+ sudo mv /tmp/mywebsite-com/ghost_mywebsite-com.service /lib/systemd/system/ghost_mywebsite-com.service
+ sudo systemctl daemon-reload
✔ Setting up Systemd
+ sudo systemctl is-active ghost_mywebsite-com
+ sudo systemctl start ghost_mywebsite-com
+ sudo systemctl is-enabled ghost_mywebsite-com
+ sudo systemctl enable ghost_mywebsite-com --quiet
✔ Starting Ghost
One or more errors occurred.

1) CliError

Message: Failed to restart Nginx.

Debug Information:
    OS: Ubuntu, v22.04.1 LTS
    Node Version: v16.17.0
    Ghost Version: 5.53.1
    Ghost-CLI Version: 1.24.0
    Environment: production
    Command: 'ghost install --auto --db=mysql --dbhost=localhost --dbport=3306 --dbname=ghost_production --dbuser=root --dbpass=REMOVED_PASS --dir=/var/www/ghost --start'

Additional log info available in: /home/ghost-mgr/.ghost/logs/ghost-cli-debug-2023-06-27T09_18_12_583Z.log

Try running ghost doctor to check your system for known issues.

You can always refer to for troubleshooting.
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.

I’ve set up one site from scratch without any issues. I’m now trying to set up a second but I’m running into an issue and searching I cannot find anything to help. The only differences with this config is I’m using Cloudflare instead of namecheap for hosting and for this site I trialed Ghost Pro before deleting everything and starting again. I did configure it with a custom domain before removing and deleting the connection.

I’ve run ghost doctor but it wasn’t much help. Previously it was failing on the nginx step but I’m now getting past that. The only post that I can find that gives me a clue to what’s happening is this.

The folder was indeed named with _ecc at the end but I’m not sure what to do about it or why it’s happening. mv can’t be invoked to make any changes as this change was restricted, even if it did I’m not sure how to restart the set up step and get past the issue.

I’ve since updated npm to the latest as there was a message about that.

  npm: '9.7.2',
  node: '16.17.0',
  v8: '',
  uv: '1.43.0',
  zlib: '1.2.11',
  brotli: '1.0.9',
  ares: '1.18.1',
  modules: '93',
  nghttp2: '1.47.0',
  napi: '8',
  llhttp: '6.0.7',
  openssl: '1.1.1q+quic',
  cldr: '41.0',
  icu: '71.1',
  tz: '2022a',
  unicode: '14.0',
  ngtcp2: '0.1.0-DEV',
  nghttp3: '0.1.0-DEV'

Any ideas on how I can proceed or what’s happening would be very appreciated.

What’s the output from nginx -t?

Also, note that Let’s Encrypt can fail behind Cloudflare, so place in development mode when requesting certificates, and don’t force HTTPS connections.

1 Like

What do you mean by ‘mv can’t be invoked’? You should have root access on the droplet. :slight_smile: I think the best option is actually not to move the folder (because lets encrypt may expect it to be at that location), but to edit the nginx configuration file to point to the ecc location. You’re going to find those config files at something like /etc/nginx/sites-available/yourdomain-ssl.conf. Check for configurations pointing at a directory that’s yourdomain instead of yourdomain_ecc, and adjust to yourdomain_ecc. If you want to post that yourdomain-ssl.conf file and the results of ls /etc/letsencrypt, I can try to be more specific.

An FYI for @mjw, in case you missed it - when I spun up a new DO droplet yesterday using the Ghost 1-click install, the certificates are indeed ending up in domainname_ecc but the nginx config files are pointing at domainname, and that causes the behavior being described. That may explain the recent outbreak in reports of this problem on the forum. [Tagging you here since you answer a LOT of Nginx/certificate/proxy questions, and that info may help solve the problem faster.]


@mjw and @Cathy_Sarisky thank you for your prompt responses and kind assistance.

@Cathy_Sarisky you’re right I think I was running mv as ghost-mgr which must not have access but I won’t change the file name.

@mjw I tried putting in development mode which I hadn’t previously, I started a fresh install but it still failed.

The output of nginx -t is below.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

ls etc/letsencrypt/ returns the following

account.conf **ca** **deploy** http.header **renewal-hooks**

**** **mywebsite.com_ecc** cli.ini **dnsapi** **notify**

I’ve attempted to change the config of to the following to match, here is a partial of the file were I’ve made changes

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    root /var/www/ghost/system/nginx-root; # Used for SSL verification >

    ssl_certificate /etc/letsencrypt/mywesbite.com_ecc/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/mywebsite.com_ecc/>
    include /etc/nginx/snippets/ssl-params.conf;

I tried nginx -t again in /etc/nginx/sites-available, I’m quite new to this but I believe tests the config? I get the following

nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)

2023/06/29 08:33:52 [warn] 59063#59063: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

2023/06/29 08:33:52 [emerg] 59063#59063: cannot load certificate key "/etc/letsencrypt/mywebsite.com_ecc/": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/letsencrypt/mywesbite.com_ecc/, r) error:10080002:BIO routines::system lib)

nginx: configuration file /etc/nginx/nginx.conf test failed

I’m not sure how to proceed.

It looks like Let’s Encrypt failed during the installation: either the certificates weren’t issued or couldn’t be delivered since they don’t exist on the server.

Try running ghost setup ssl, but make sure you allow HTTP (80) and HTTPS (443) traffic, and have Cloudflare in development mode.

1 Like

Try running ghost setup ssl to create a new certificate.

1 Like

So i’ve enabled development mode and checked the ports 80 and 443 are allowed. When I run ghost setup ssl I get SSL has already been set up, skipping ℹ Setting up SSL [skipped]. I’ve tried stopping the server and running but it made no difference.

I ran it as ghost setup --ssl based on something I saw when returning ghost ssl help, that seemed to work. All good for the naked (non www) domain.

I then had the issue of www not redirecting always or having an SSL cert. I eventually read that Ghost can only have one domain for SEO reasons and such so the process is as follows in this article.

I followed that advice but with the additional step of having to rename the following files to include ecc in them otherwise the config failed.

ssl_certificate /etc/letsencrypt/www.mydomain.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/www.mydomain.com_ecc/;

No idea why it’s adding this ecc. I’m not sure if that’s an issue for DigitalOcean’s 1 click installer or for Ghost to resolve. My guess is DigitalOcean.

At first I didn’t know where to find those files but I then remembered where I’d seen them

So I updated this thread with no responses to answer that.

Thanks for your help everyone, I really would have been stuck without it. I finally have the certificates working with www and non www versions.

Have a great week!