I am having issues with getting the SSL certificates for my website to renew. The cron job that Ghost sets-up during installation, when setting up the SSL certificate for you, exists, and should have fun on 19 October 2023, however it did not.
When I tried to run the cron job manually, it fails, and I get the following error:
===Starting cron===
[Sun Oct 22 02:18:14 PM UTC 2023] Renew: 'mythbound.online'
[Sun Oct 22 02:18:14 PM UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun Oct 22 02:18:15 PM UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Oct 22 02:18:15 PM UTC 2023] Single domain='mythbound.online'
[Sun Oct 22 02:18:15 PM UTC 2023] Getting domain auth token for each domain
[Sun Oct 22 02:18:17 PM UTC 2023] Getting webroot for domain='mythbound.online'
[Sun Oct 22 02:18:17 PM UTC 2023] Verifying: mythbound.online
[Sun Oct 22 02:18:18 PM UTC 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Sun Oct 22 02:18:22 PM UTC 2023] Pending, The CA is processing your order, please just wait. (2/30)
[Sun Oct 22 02:18:25 PM UTC 2023] Pending, The CA is processing your order, please just wait. (3/30)
[Sun Oct 22 02:18:29 PM UTC 2023] Invalid status, mythbound.online:Verify error detail:77.68.51.102: Invalid response from http://mythbound.online/.well-known/acme-challenge/SNkuSdur8HQj4-oofvOZ6fWFYTBpTVHOty4fAYHmnSY: 404
[Sun Oct 22 02:18:29 PM UTC 2023] Please check log file for more details: /etc/letsencrypt/acme.sh.log
[Sun Oct 22 02:18:30 PM UTC 2023] Error renew mythbound.online.
[Sun Oct 22 02:18:30 PM UTC 2023] ===End cron===
I don’t really understand this enough to troubleshoot it properly, can any of you help me figure out what is going on, and why I can’t renew the SSL certificates?
The cronjob (or the underlying script) is basically contacting the LetsEncrypt server, which tries to verify that you’re the owner of you domain. It essentially puts a file onto your server and then tries to reach it through the internet. That’s the line here:
[Sun Oct 22 02:18:29 PM UTC 2023] Invalid status, mythbound.online:Verify error detail:77.68.51.102: Invalid response from http://mythbound.online/.well-known/acme-challenge/SNkuSdur8HQj4-oofvOZ6fWFYTBpTVHOty4fAYHmnSY: 404
It put the file at the location http://mythbound.online/.well-known/acme-challenge/SNkuSdur8HQj4-oofvOZ6fWFYTBpTVHOty4fAYHmnSY but cannot find it.
Now, I have just tried to find that file myself and went to that URL – and got a 404 error. When I go to the top level domain – mythbound.online – I am getting a 502 error, which usually indicates that NGINX can’t reach Ghost.
Not entirely sure if it is necessary for the renewal of the SSL, but is Ghost running? You can check that with ghost status.
Ghost is running and accessible via the HTTP link, after confirming that I want to proceed.
I also tried to visit the file in the web-browser via the HTTP link, and it would not let me.
I also checked the directory on the server, and there are other files in there, but not the one it was trying to access – I am assuming the other files are from past renew or renew attempts. However, acme.sh is not even creating the file in the directory for some reason, as it does not appear as though it is present.
:(
Interestingly, the “system” directory is owned by root. Could that be causing the issue with acme.sh not creating the file?
I have getting this problem resolved by doing the following:
Stop ghost
Remove the mythbound.online-ssl.cof file that acme.sh created during set up
Running sudo certbot --nginx and then choosing the option to secure mythbound.online with an SSL certificate
Certbot then runs and deploys the certificates, so that I now have the following NGINX server block for my Ghost site.
server {
server_name mythbound.online;
root /var/www/mythbound/website/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mythbound.online/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mythbound.online/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mythbound.online) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name mythbound.online;
return 404; # managed by Certbot
This is obviously not a good idea, because its combined the server block that was created during set up (to use acme.sh) with the modifications that Certbot made to it to make the SSL work.
It has however, getting around the weird issues of acme.sh not deploying my certificates.
I now just need to delete the domain from acme.sh it seems, now that Certbot is managing the SSL certificates instead.
