Post Install - all good no ghost

What I suggest is this:

  1. Remove the symbolic link in /etc/nginx/sites-enabled

  2. Edit config.production.config to change the site to HTTPS

Ideally, you should only run HTTPS, so it’s best to resolve this setup. Moreover, if the Let’s Encrypt certificates were generated, you don’t need to try this again.

Make the changes and restart Ghost and Nginx.

Incidentally, I don’t use Let’s Encrypt; I generate certificates in Cloudflare.

Hey MJW,
Should I just clear out all entries in the sites-enabled folder? Sorry about my lack of knowledge here. I understand they are symbolics, but just don’t know what I’m doing.

F

Since you haven’t named the files, I can’t be precise. However, you need to delete the symbolic link for the HTTP config in /etc/nginx/sites-enabled. The file can still be found in /etc/nginx/sites-available if needed later.

Once you’ve done this, do sudo systemctl reload nginx, edit the site URL in you production.config.json to HTTPS, and restart ghost.

Hey Martin,

Thanks for your continuing help. I went a little farther and did a reinstall with https on. I can delete the items in the sites-available folder and they come back just fine.
The new issue appears to be a database error.

Ghost was able to start, but errored during boot with: Access denied for user ‘ghost-793’@‘localhost’ (using password: YES)

I’m thinking maybe a uninstall and then reinstall?

Fritz

I ended up uninstalling and reinstalling to get rid of the MySQL error. Everything looks great (meaning that there are no obvious errors), but the site still doesn’t work. I took a look at the config and I’m not sure specifically what I’m looking for, but again it looks in order. Let me know if you have any other hints.

F

Do you use ufw and enabled it for HTTPS?

How about this one?

Hey Shiny,

I do use UFW and I did add https to the rules, but there was no change.
As of this morning the Nginx status is listed as failed. So that happened during my evening. I can’t get it running manually (start, restart, reload, etc). My normal steps here would be restart and then reinstall. I might be muddying the water quite a bit at this point.

This morning I started reading the errors. Apparently, a path to a certificate isn’t correct. If I’m reading this correctly it’s looking in the /etc/letsencrypt/fourankles.com folder for a fullchain.cer. There is a fourankles.com_ecc file. Could this be the issue? Or am I reading this incorrectly?

F

I believe having fourankles.com_ecc file is fine.

As Johnny in the link said, I did adding _ecc after the domains in /etc/nginx/sites-available/fourankles.com-ssl.conf

In my case, it worked.

If you use CloudFlare, you might need to change SSL mode to Full(strict) from Flexible.

1 Like

This is your immediate issue. What is the error? Use journalctl. Also, how did uninstall Ghost etc.?

Hey Martin,

I used ghost uninstall and reinstalled and ran setup again. It couldn’t find the nginx installation. I assumed there must be remnants of previous installations and errors, so I thought instead of chasing problems I’d reset the server (thumbs up to a vps box).

I just finished the reinstall a few minutes ago. My new error is:

GhostError

Message: Ghost was able to start, but errored during boot with: Access denied for user ‘root’@‘localhost’
Help: Unknown database error
Suggestion: journalctl -u ghost_fourankles-com -n 50

So I checked the journal and there are no entries.
During the install I picked root as the mysql user per the instructions.

I want to apologize for jumping ahead, but the game of “whack-a-mole” was frustrating to chase down, so I thought this was the best approach.

F

I’d have done the same - one of the features of VPS, for sure! Are you sure you gave the install prompt the password for the root user IN MYSQL (not the actual root password)?

Hey Cathy,

I would like to think I did, but at this point I’m second guessing myself at every step.
I ran setup again and get the same DB error. I’ll dig in the forum to see if I can find something along the lines about that error.

F

There’s no no native password set for the root MySQL account.

Try this …

sudo mysql

# Set root password 
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
QUIT;
# This is good practice 
sudo mysql_secure_installation
# Test that you can login
sudo mysql -u root -p

Ideally, you should create another database user for Ghost that only has privileges for the one Ghost database.

Thank for the additional info Martin. I think I’m going to restart the VPS for fresh and use your alter user command during the setup. I do notice that everytime I run setup that I see there is another user created. The format is ghost-1234. It’s a different number each time.

Does that sound like the correct process?
Fritz

Okay. Clean VPS and fresh install. The only difference was that I added Martin’s extra work of putting in a password for the mysql root account and making it a secure installation.

At the end of the install the note is that it couldn’t restart Nginx. However, I checked systemctl and it running and doctor shows no errors.

So I then restarted ghost, but no luck.
Next I stop nginx (systemctl stop nginx) and then try to restart (systemctl start nginx) and it fails.
I check the journalctl and it looks like it can’t load the certificate!

Not sure what’s happening this time, but it felt closer. Let me know if you have any ideas.

Fritz

It could be that Let’s Encrypt won’t reissue the certificate because you’ve already requested one.

You can test this, but usually there’s no way of requesting another, since you have wiped them from the server.

I can give you an alternative approach later today UK time.

The cert preexisting hadn’t dawned upon me! Interesting! Now that I’m getting through the bumps I can see that might yet another issue. Thanks for digging into this.

Fritz

The Let’s Encrypt service limits requests for the same certificate to 5 time a week. If you’ve reached this limit, you can’t get another certificate (unless you request the same certificate alongside a new subdomain, for example.)

Some time ago, I decided not to use Let’s Encrypt, and handle SSL with a free Cloudflare account. To achieve this, you’ll need to use Cloudflare nameservers, and then generate SSL certificates in their dash for authenticated pulls. Cloudflare will then sort the public certificates, and renew them automatically.

This is what my Nginx configuration looks like.

limit_req_zone $binary_remote_addr zone=fourankles_com_limit:10m rate=5r/s;

server {
    listen 80;
    listen [::]:80;

    server_name fourankles.com;
    return 301 https://fourankles.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name fourankles.com;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ssl_certificate /etc/ssl/certs/fourankles_com-cert.pem;
    ssl_certificate_key /etc/ssl/private/fourankles_com-key.pem;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;

        limit_req zone=fourankles_com_limit burst=30 delay=10;
        limit_req_log_level warn;
        limit_req_status 444;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options SAMEORIGIN always;
        add_header X-XSS-Protection "1; mode=block" always;
    }

    client_max_body_size 50m;
}

All I had to do was upload the certificates to /etc/ssl, and skip SSL and Nginx setup when installing Ghost. If you need some guidance setting up Cloudflare, just reach out.

Hey Martin,
Sorry this step has taken me a few days. I finally had the time to sit down and work on this. I’ve made an account at cloudflare, and repointed the DNS servers. I’m at the waiting interval. I’ll work on this tomorrow, but should I start over from the beginning again. Or just restart ghost setup?

Fritz

1 Like

You should be fine leaving Ghost as it is, and simply copy the certificates, and update the Nginx configuration.