How can I set up SSL certificates for email sending subdomains?

Hi all,

  • What’s your URL? This is the easiest way for others to help you

  • What version of Ghost are you using? If it’s not the latest, please update Ghost first before opening your topic

  • How was Ghost installed and configured?
    DigitalOcean, 1 click install. Other configuration by me.

  • What Node version, database, OS & browser are you using?

  • What errors or information do you see in the console?

  • What steps could someone else take to reproduce the issue you’re having?

I’ve set up email on a subdomain and the transactional email is sent from When requesting a password reset for an admin and clicking through the link I receive in the email I can see that I get a certificate error for as the certificate is for mailgun. The subdomain domain has no certificate at all so that also errors.

How can I configure these domains to be secure?

Thank you

You should enable SSL for the subdomain using ghost setup ssl. Also, email.subdomain should not be accessible via a web browser: typically with Mailgun, this is a CNAME, and MX records are created for mg.subdomain to send.

Hi @mjw
Thanks for your response.

Are there any more specific instructions for this? I’ve attempted the instructions here in the documentation but I ran into an error.

So I tried running ghost setup --ssl otherwise it skips the config. At this point it asks ? **Enter your blog URL:** should I change this to and then change it back later? Or is there a way I can include wildcard domains here in the SSL set up? Should I request it on https://* If so will this also include the naked domain


What is the URL for your blog?

Okay, so you’re using the bare domain, not a subdomain; not sure why you said it was before. Therefore, use this when setting up SSL, and make sure you use production.config.json.

As for Mailgun, all you need is to setup MX records pointing to their servers, e.g., (a CNAME) is optional.

You only need to setup SSL for the bare domain; certificates are not necessary for the MX records.

Okay, thanks for your response. I thought I’d already added the MX records as described in their documentation and they’ve validated so I’m not sure what I’m missing here.

This is how they look currently

That looks fine. So, what exactly is the issue with certificates?

When requesting a password reset for an admin and clicking through the link I receive in the password reset email I get a certificate error for When inspecting the certificate it is for mailgun and my domain is not listed. According to the set up I’ve done what I’m supposed to so I’m not sure why this is happening.

You have misconfigured something: is not a valid website URL. The link should open on your bare domain, i.e., your Ghost site.

Please confirm value for "url": in production.config.json, and share your Nginx config from sites-available.

Also, I note that your site is private; try turning this off when testing the sign-up.



**"url"****:** **"https****:****//"****,**

**"server"****:** **{**

**"port"****:** 2368**,**

**"host"****:** **""**


**"database"****:** **{**

**"client"****:** **"mysql"****,**

**"connection"****:** **{**

**"host"****:** **"localhost"****,**

**"user"****:** **"ghost-REDACTED"****,**

**"password"****:** **"REDACTED"****,**

**"port"****:** 3306**,**

**"database"****:** **"ghost_production"**



**"mail"****:** **{**

**"from"****:** **"'Bowie Sensei'"****,**

**"transport"****:** **"SMTP"****,**

**"options"****:** **{**

**"service"****:** **"Mailgun"****,**

**"host"****:** **""****,**

**"port"****:** 465**,**

**"secure"****:** true**,**

**"auth"****:** **{**

**"user"****:** **""****,**

**"pass"****:** **"REDACTED"**




**"tls"****:** **{**

**"rejectUnauthorized"****:** false


**"logging"****:** **{**

**"transports"****:** **[**





**"process"****:** **"systemd"****,**

**"paths"****:** **{**

**"contentPath"****:** **"/var/www/ghost/content"**



The files in /etc/nginx/sites-available are default

I notice that there is no which I suspect might be required as all the other domains have an equivalent. However, I’m not sure how to create that file.

Here is the contents of

Let me know if I should post the others also

server {
    listen 80;
    listen [::]:80;

    root /var/www/ghost/system/nginx-root; # Used for SSL verification >

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;


    location ~ /.well-known {
        allow all;

    client_max_body_size 50m;

Can you paste production.conf.json again as it appears. There should be neither asterisk nor white space in those places.

Nonetheless, it looks okay, assuming this is a cut ’n’ paste issue.

Regarding Nginx, you seem to have too many configurations for the site.

Initially, I’d remove default and from /etc/nginx/sites-enabled, test Nginx (sudo nginx -t), and then sudo nginx reload.