It could be that Let’s Encrypt won’t reissue the certificate because you’ve already requested one.
You can test this, but usually there’s no way of requesting another, since you have wiped them from the server.
I can give you an alternative approach later today UK time.
The cert preexisting hadn’t dawned upon me! Interesting! Now that I’m getting through the bumps I can see that might yet another issue. Thanks for digging into this.
Fritz
The Let’s Encrypt service limits requests for the same certificate to 5 time a week. If you’ve reached this limit, you can’t get another certificate (unless you request the same certificate alongside a new subdomain, for example.)
Some time ago, I decided not to use Let’s Encrypt, and handle SSL with a free Cloudflare account. To achieve this, you’ll need to use Cloudflare nameservers, and then generate SSL certificates in their dash for authenticated pulls. Cloudflare will then sort the public certificates, and renew them automatically.
This is what my Nginx configuration looks like.
limit_req_zone $binary_remote_addr zone=fourankles_com_limit:10m rate=5r/s;
server {
listen 80;
listen [::]:80;
server_name fourankles.com;
return 301 https://fourankles.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name fourankles.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /etc/ssl/certs/fourankles_com-cert.pem;
ssl_certificate_key /etc/ssl/private/fourankles_com-key.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
limit_req zone=fourankles_com_limit burst=30 delay=10;
limit_req_log_level warn;
limit_req_status 444;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
}
client_max_body_size 50m;
}
All I had to do was upload the certificates to /etc/ssl, and skip SSL and Nginx setup when installing Ghost. If you need some guidance setting up Cloudflare, just reach out.
Hey Martin,
Sorry this step has taken me a few days. I finally had the time to sit down and work on this. I’ve made an account at cloudflare, and repointed the DNS servers. I’m at the waiting interval. I’ll work on this tomorrow, but should I start over from the beginning again. Or just restart ghost setup?
Fritz
You should be fine leaving Ghost as it is, and simply copy the certificates, and update the Nginx configuration.
Hey Martin,
Thanks for the continuing assistance. I’ve created/copied the new certs on the server and I’m about to edit the .conf file. Do I just erase everything in there and copy your’s over? This is new territory for me. I continue to research this on the side.
Fritz
current config:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POO>
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascrip>
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
No, do not delete this config file!
Please share the output from the following:
ls -Flai /etc/nginx/sites-available
Most likely, there are two files: default and one like sitename.conf.
Hey Martin,
I have default, fourankles.com-ssl.conf and fourankles.com.conf. These are artifacts of the ghost setup I believe.
Fritz
ps. I just took a look in both of the confs and they are blank.
pss. I’m guessing you want me to overwrite the default. That seems like it matches your example config.
Okay, go ahead and delete fourankles.com-ssl.conf, and then edit the other and add the content I posted earlier.
Once you’ve done this, you need to check that there is a symbolic link to the file in /etc/nginx/sites-enabled.
ls -Flai /etc/nginx/sites-enabled
There may be a single link to the new config since it was already there. If not, run this.
cd /etc/nginx/sites-enabled
sudo ln -s /etc/nginx/sites-available/fourankles.com.conf fourankles.com.conf
# Test config
nginx -t
If there are errors, please post. If it’s good, reload Nginx.
sudo systemctl reload nginx
Now try your site.
Here’s the output:
656038 drwxr-xr-x 2 root root 4096 Jun 26 18:18 ./
656026 drwxr-xr-x 8 root root 4096 Jun 26 14:41 …/
656039 -rw-r–r-- 1 root root 2412 Jul 27 2022 default
836470 -rw-rw-r-- 1 gbadmin gbadmin 1271 Jun 26 18:18 fourankles.com.conf
Okay, so the symbolic link exists. Therefore, proceed with the test.
Sigh, unfortunately nginx is in a failed state. No restart or reload will get it to run. I restarted the server and get same issue.
Should I reinstall Nginx? Or Ghost?
F
What was the output from nginx -t?
Also, do restart ghost and ghost ls. Confirm that the same port is specified in the Nginx config.
Here’s the output:
nginx: [alert] could not open error log file: open() “/var/log/nginx/error.log” failed (13: Permission denied)
2023/06/26 18:55:44 [warn] 1368#1368: the “user” directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2023/06/26 18:55:44 [emerg] 1368#1368: open() “/etc/nginx/sites-enabled/fourankles.com-ssl.conf” failed (2: No such file or directory) in /etc/nginx/nginx.conf:60
nginx: configuration file /etc/nginx/nginx.conf test failed
I restarted ghost and confirmed port 2368.
F
Is gbadmin the Ghost user? If so, please share the output from groups gbadmin.
gbadmin : gbadmin sudo
Not much. Just to get Ghost working.
F
PS I was thinking that when we sort out the issue with nginx that we’d need to figure out how to get away from letsencrypt. Or did we do that by altering the nginx config?
You need to do sudo nginx -t. 
Hmm, that didn’t seem to work to well. Here’s the output:
nginx: [emerg] open() “/etc/nginx/sites-enabled/fourankles.com-ssl.conf” failed (2: No such file or directory) in /etc/nginx/nginx.conf:60
nginx: configuration file /etc/nginx/nginx.conf test failed
F
No, this has worked. That’s the reason Nginx won’t start.
You still have a symbolic link in /etc/nginx/sites-enabled for the original Nginx config file, but the file no longer exists. You can delete: sudo rm /etc/nginx/sites-enabled/fourankles.com-ssl.conf, and then rerun sudo nginx -t.
The drama continues! Here’s the output:
nginx: [emerg] cannot load certificate “/etc/ssl/certs/fourankles_com.cert.pem”: BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/ssl/certs/fourankles_com.cert.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
I wonder if I misnamed the .pem file?
F