Manual SSL Configuration

How can ghost be manually configured to use specific SSL settings? Is it possible, or is letsencrypt the only way?

I’ve looked all over trying to find where I can configure ghost to use specific SSL settings. So, in the spirit of asking a question that has probably been asked before… a little about my motivations and why I’m trying to do this:

Request Flow:
(public --> (apache: public SSL termination | reverse proxy | internal SSL origination/termination) --> (SSL enabled internal applications supporting public domain)

In this configuration, those applications which sit behind apache have an internal SSL configuration that is mandatory for communication with apache. Hats off to the ghost team for doing letsencrypt integration; however, in this deployment scenario it won’t help much.

You’re free to use any SSL configuration you would like. Just make sure you se the x-forwarded-proto header so Ghost knows that SSL was terminated and doesn’t try to redirect you.

Good to know about the x-forwarded-proto headers! However, I guess my question was fishing for more information about “how can it be done” rather than “is it possible”.

  • What values in which config files need to be edited to allow a manual SSL configuration?
  • Are these config values allowed in containerized environments (like the mysql environmental config values on the docker container)?
  • What encoding does my certificate need to be? (.der? .pem?)
  • How about the certificate’s extension? (.cer? .crt? .pfx?) There’s just a few of them out there. Are they all supported? Are only a few supported? Is only one supported?
  • Where do our certificate files need to be placed? Can they be placed anywhere and their paths set in a configuration file? Do they have to be placed in the /etc/letsencrypt directory?

After poking around a little more, I’ve noticed that SSL can be setup on install. Am I then required to install ghost every time I need to rotate a manually configured certificate?

How does one carry out a manual SSL configuration? The ghost config page very briefly mentions that “Ghost has a number of configuration options for working with SSL”, but doesn’t actually say what they are or how to use them.

I can give you answers related to Ghost, but not your specific setup :slight_smile:

Absolutely nothing. Just make sure the url is configured to be https and have the x-forwarded-proto header.

Yes, since config values can be provided via env vars or a config file

This is specific to the application that’s terminating SSL.

Since the Ghost process doesn’t support HTTPS (SSL), it’s also specific to your implementation :slight_smile: Most implementations allow you to specify the path to your cert. To be clear, in the default configuration, HTTPS is handled by nginx

I think we have a misunderstanding. I’ll ask a more direct question. If I follow the local installation steps how would I configure ghost to use https://localhost:2368?

You wouldn’t be able to without putting something in front of it.

For some technical detail, HTTPS is built on top of HTTP, so some features (like trust [SSL]) aren’t available in HTTP. Ghost only works on HTTP since it’s not designed to be directly exposed to the internet. Thus, you need to have something in front of Ghost that supports HTTPS (like NGINX) that “transforms” the HTTPS connection into an HTTP connection, which Ghost does support

Hey @lucidlexer,

If you didn’t manage to configure SSL you can consider using DigitalPress. It provides free Ghost hosting with SSL certificate configured automatically for you.

It’s really simple to set up your own blog, give it a try. You won’t have to hack the setup yourself anymore :wink: