Ghost & SSL certs for other subdomains

Hey everyone,

I recently decided to migrate my content over to Ghost. I was just using Bootstrap previously to cobble together some basic pages to host my content, alongside a Mediawiki instance and a Piwigo instance as well.

My Ghost installation ran like a dream other than having to add in a SocketPath filepath in my config file to get it to connect to MySQL.

The problem I’m having now is this. I had my Mediawiki instance hosted on and although I’ve got Ghost’s SSL stuff working fine thanks to using Ghost-CLI, I’m stumped on how to use in conjunction with nginx to issue and setup a working SSL cert for that subdomain.

I followed the official Ghost docs on self hosting to setup a Ghost instance on my website (

Does anyone have any advice on how to use the script that comes with the Ghost install that’s in /etc/letsencrypt? I had considered just installing certbot as I have previous experience with that but I was concerned about there being conflicts and if possible, I’d rather use the tools that came with Ghost to get this working.

For the record, I used the following command to generate a cert:

./ --home "/etc/letsencrypt" --server letsencrypt --issue -d -w /var/www/

Which did generate something, but when I ran the following command to install the certificate, although it claimed it was successful, I am unable to access --install-cert -d \
--key-file       /etc/letsencrypt/wiki.renoproject.org_ecc/  \
--fullchain-file /etc/letsencrypt/wiki.renoproject.org_ecc/fullchain.cer \
--reloadcmd     "service nginx force-reload"

Youll likely want to use certbot. You can generate wildcard certs and use that for your different subdomains in your nginx config.
heres an example using the cloudflare plugin, if youre not using that for dns verification then just remove the --dns-cloudflare* parameters

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /path/to/fileWithAPIKey --dns-cloudflare-propagation-seconds 60 -d -d *

notice the multiple -d parameters, this will add different SANs to your cert.

then you can rsync the certs to where your nginx is running or have your nginx ssl config pointed at the location certbot stores the certs.

if you only have one domain and youre familiar with docker you might want to look into using swag, it is a LSIO container which has letsencrypt and nginx and other capabilities which might make your life easier.

Thanks for the reply.

Do you know if it would cause any conflicts if I allow Ghost to continue using to renew the cert that Ghost-CLI generated when I set things up, but then install certbot and use that specifically to generate a certificate for the subdomain I mentioned in my initial post?

i think that depends on how youre routing traffic for domains. if you have a cert from a trusted signer its not going to matter much. if you have a proxy that is handling all of your public domains in front of your ghost cli, the cert that is in your proxy is going to be used if there is no pass through, but you would need to make sure of the options in the proxy that the connections are passed ok.

I don’t believe it will be a problem. I believe they are are bot client’s that interact with the Let’s Encrypt servers in a way that is compatible with each other.

I also host a domain besides Ghost and I use certbot to manage my other certs.

Thanks markstos! I’ll give it a try and report back here to let anyone reading this in the future know how it turned out.

1 Like

I was able to use Certbot just fine alongside Ghost handling its own SSL via Ghost-CLI on my DigitalOcean droplet :slight_smile:

Incase anyone else had the same issue and finds this via searching, here’s the guide I followed.