`ghost setup ssl`: Error, can not get domain token entry

Hello,

I’m trying to install a new Ghost on my domain. Apparently I’m having some issues with SSL. The Ghost installation works fine until the SSL setup.

I run manually this command after it failed: ghost setup ssl with no luck.

Here is what I have in log:

Debug Information:
    OS: Ubuntu, v18.04
    Node Version: v10.15.1
    Ghost-CLI Version: 1.11.0
    Environment: production
    Command: 'ghost setup ssl'

Message: Command failed: /bin/sh -c sudo -S -p ‘#node-sudo-passwd#’ /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain dev.domain.com --webroot /var/www/dev/system/nginx-root --reloadcmd “nginx -s reload” --accountemail contact@domain.com
[Wed Oct 9 12:58:00 UTC 2019] Error, can not get domain token entry my.domain.com
[Wed Oct 9 12:58:00 UTC 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 9 12:58:00 UTC 2019] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

[Wed Oct  9 12:57:09 UTC 2019] Single domain='my.domain.com'
[Wed Oct  9 12:57:09 UTC 2019] Getting domain auth token for each domain
[Wed Oct  9 12:57:09 UTC 2019] Getting webroot for domain='my.domain.com'
[Wed Oct  9 12:57:09 UTC 2019] Getting new-authz for domain='my.domain.com'
[Wed Oct  9 12:57:10 UTC 2019] Could not get nonce, let's try again.
[Wed Oct  9 12:57:13 UTC 2019] Could not get nonce, let's try again.
[Wed Oct  9 12:57:15 UTC 2019] Could not get nonce, let's try again.
[Wed Oct  9 12:58:00 UTC 2019] The new-authz request is ok.

Exit code: 1

Any ideas what the issue might be here?

I’ve also put:

curl https://acme-v02.api.letsencrypt.org/directory -v

Maybe there is an error there but I think it looks ok:

dev@dev:/var/www/dev$ curl https://acme-v02.api.letsencrypt.org/directory -v
*   Trying 172.65.32.248...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Sep 13 17:50:45 2019 GMT
*  expire date: Dec 12 17:50:45 2019 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e4dd0c0920)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< server: nginx
< date: Wed, 09 Oct 2019 14:00:08 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "7-xjkuvAe64": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

Hello, i’ve the same problem.

Have you solved it somehow?

On the web I found someone who says to update acme or launch the command using some additional parameter, but I’m afraid of compromising the system, I haven’t tried it yet.

try this

ghost setup nginx ssl
Nginx configuration already found for this url. Skipping Nginx setup.
ℹ Setting up Nginx [skipped]
Nginx setup task was skipped, skipping SSL setup
ℹ Setting up SSL [skipped]

Any update?

Hi,
I have similar issue and unable to renew my certificate. I hasn’t happened automatically and it doesn’t work with acme script. I’m out of ideas. Here’s output of
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --renew -d mydomain.pl --webroot /var/www/ghost/system/nginx-root

[Sat Nov  2 20:01:05 CET 2019] GET
[Sat Nov  2 20:01:05 CET 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Nov  2 20:01:05 CET 2019] timeout=
[Sat Nov  2 20:01:05 CET 2019] _CURL='curl -L --silent --dump-header /etc/letsencrypt/http.header  -g '
[Sat Nov  2 20:01:06 CET 2019] ret='0'
[Sat Nov  2 20:01:06 CET 2019] Could not get nonce, let's try again.
...
[Sat Nov  2 20:01:23 CET 2019] Error, can not get domain token entry ...

I noticed that acme renew command only finds domains that are in /etc/letsencrypt/live folder, but ghost certificates go to /etc/letsencrypt/[domain] by default so renew command doesn’t even recognize that domain.

I’m also on ubuntu 18.04
Node v10.16.3
Ghost-CLI version: 1.12.0
Ghost version: 2.28.0

Hi,

any update on this issue? I’m experiencing the same problem.

Ubuntu 18.04.3 LTS (DigitalOcean Ghost droplet)
Node v10.16.3
Ghost-CLI version: 1.12.0
Ghost version: 2.36.0

Ok, I managed to solve the problem! Not sure though if it is the recommended way to do it. In case anyone wants to try, this is what I did:

sudo apt install socat (not sure if necessary, but acme complained otherwise)

/etc/letsencrypt/acme.sh --upgrade

This doesn’t seem to replace the old acme.sh, but installs a new one to /root/.acme.sh/acme.sh. So I ran:

/root/.acme.sh/acme.sh --home "/etc/letsencrypt" --renew-all

This command successfully renewed the certificates. After that I restarted nginx:

sudo systemctl restart nginx

and edited the crontab (sudo crontab -e), where I changed the existing command to use the new acme.sh path.

Perhaps it would be better to copy the newly installed acme.sh back to the old location (/etc/letsencrypt/), but I was afraid to break something.

This solved it for me, on both Ghost installations I’m running (Ubuntu 18.04 on both).

Did you find a solution to this? I have the same problem

Yes, check this

2 Likes

@giacomosilli Fixed? or still facing this issue?

Fixed

1 Like

That fixed it for me as well - thanks!