How can I set up SSL certificates for email sending subdomains?

Hi all,

• What’s your URL? This is the easiest way for others to help you
  e.bowiesensei.com

• What version of Ghost are you using? If it’s not the latest, please update Ghost first before opening your topic
  5.53.1
  And

• How was Ghost installed and configured?
  DigitalOcean, 1 click install. Other configuration by me.

• What Node version, database, OS & browser are you using?
  v16.20.1

• What errors or information do you see in the console?
  n/a

• What steps could someone else take to reproduce the issue you’re having?

I’ve set up email on a subdomain e.bowiesensei.com and the transactional email is sent from https://email.e.bowiesensei.com. When requesting a password reset for an admin and clicking through the link I receive in the email I can see that I get a certificate error for https://email.e.bowiesensei.com/ as the certificate is for mailgun. The subdomain e.bowiesensei.com domain has no certificate at all so that also errors.

How can I configure these domains to be secure?

Thank you

You should enable SSL for the subdomain using ghost setup ssl. Also, email.subdomain should not be accessible via a web browser: typically with Mailgun, this is a CNAME, and MX records are created for mg.subdomain to send.

Hi @mjw
Thanks for your response.

Are there any more specific instructions for this? I’ve attempted the instructions here in the documentation but I ran into an error.

So I tried running ghost setup --ssl otherwise it skips the config. At this point it asks ? **Enter your blog URL:** should I change this to https://e.bowiesensei.com and then change it back later? Or is there a way I can include wildcard domains here in the SSL set up? Should I request it on https://*.bowiesensei.com. If so will this also include the naked domain https://bowiesensei.com?

thanks

What is the URL for your blog?

https://bowiesensei.com

Okay, so you’re using the bare domain, not a subdomain; not sure why you said it was https://e.bowiesensei.com/ before. Therefore, use this when setting up SSL, and make sure you use https://bowiesensei.com/in production.config.json.

As for Mailgun, all you need is to setup MX records pointing to their servers, e.g., mg.bowiesensei.com. email.mg.bowiesensei.com (a CNAME) is optional.

You only need to setup SSL for the bare domain; certificates are not necessary for the MX records.

Okay, thanks for your response. I thought I’d already added the MX records as described in their documentation and they’ve validated so I’m not sure what I’m missing here.

This is how they look currently

image2048×664 152 KB

That looks fine. So, what exactly is the issue with certificates?

When requesting a password reset for an admin and clicking through the link I receive in the password reset email I get a certificate error for https://email.e.bowiesensei.com. When inspecting the certificate it is for mailgun and my domain is not listed. According to the set up I’ve done what I’m supposed to so I’m not sure why this is happening.

Screenshot 2023-07-06 at 09.10.361167×626 83.5 KB

Screenshot 2023-07-06 at 09.10.501113×685 144 KB

You have misconfigured something: https://email.e.bowiesensei.com/ is not a valid website URL. The link should open on your bare domain, i.e., your Ghost site.

Please confirm value for "url": in production.config.json, and share your Nginx config from sites-available.

Also, I note that your site is private; try turning this off when testing the sign-up.

config.production.json

**{**

**"url"****:** **"https****:****//bowiesensei.com"****,**

**"server"****:** **{**

**"port"****:** 2368**,**

**"host"****:** **"127.0.0.1"**

**},**

**"database"****:** **{**

**"client"****:** **"mysql"****,**

**"connection"****:** **{**

**"host"****:** **"localhost"****,**

**"user"****:** **"ghost-REDACTED"****,**

**"password"****:** **"REDACTED"****,**

**"port"****:** 3306**,**

**"database"****:** **"ghost_production"**

**}**

**},**

**"mail"****:** **{**

**"from"****:** **"'Bowie Sensei' noreply@e.bowiesensei.com"****,**

**"transport"****:** **"SMTP"****,**

**"options"****:** **{**

**"service"****:** **"Mailgun"****,**

**"host"****:** **"smtp.eu.mailgun.org"****,**

**"port"****:** 465**,**

**"secure"****:** true**,**

**"auth"****:** **{**

**"user"****:** **"noreply@e.bowiesensei.com"****,**

**"pass"****:** **"REDACTED"**

**}**

**}**

**},**

**"tls"****:** **{**

**"rejectUnauthorized"****:** false

**},**

**"logging"****:** **{**

**"transports"****:** **[**

**"file"****,**

**"stdout"**

**]**

**},**

**"process"****:** **"systemd"****,**

**"paths"****:** **{**

**"contentPath"****:** **"/var/www/ghost/content"**

**}**

**}**

The files in /etc/nginx/sites-available are

bowiesensei.com-ssl.conf default www.bowiesensei.com-ssl.conf
bowiesensei.com.conf e.bowiesensei.com.conf www.bowiesensei.com.conf

I notice that there is no e.bowiesensei.com-ssl.conf which I suspect might be required as all the other domains have an equivalent. However, I’m not sure how to create that file.

Here is the contents of e.bowiesensei.com.conf

Let me know if I should post the others also

server {
    listen 80;
    listen [::]:80;

    server_name e.bowiesensei.com;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification >

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;

    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

Can you paste production.conf.json again as it appears. There should be neither asterisk nor white space in those places.

Nonetheless, it looks okay, assuming this is a cut ’n’ paste issue.

Regarding Nginx, you seem to have too many configurations for the site.

Initially, I’d remove default and e.bowiesensei.com.conf from /etc/nginx/sites-enabled, test Nginx (sudo nginx -t), and then sudo nginx reload.