Problem setting up ssl

Ghost-CLI version: 1.12.0
Ghost version: 2.30.2 (at /var/www/ghost)
My domain is already configured

When I try to ghost setup ssl in website’s root directory I get this output:

Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#'  /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain myactualdomainhere.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail xxxxxx@xxxxxx.com

Is ‘#node-sudo-passwd#’ supposed to be my password? Is there any way I can fill this value without setting it directly in the source code?

Thank you very much!

Hi @Michel_Calheiros - have you tried running ghost doctor?

Also, have you authenticated as your sudo user? For example, by running sudo apt update and then running the ghost commands?

No, Ghost will ask you for your sudo password and proxy it to the sudo command. It’s used as a placeholder

If ghost doctor is all green, you might try running the command manually to see what the issue is. The CLI usually handles most errors so it’d be interesting to see what fails here

Important detail: I’m using the ghost image from DigitalOcean one click deploy and I’m using the ghost-mgr auto created user to run the commands.

ghost doctor output:

✔ Checking system Node.js version
✔ Checking logged in user
✔ Ensuring user is not logged in as ghost user
✔ Checking if logged in user is directory owner
✔ Checking current folder permissions
✔ Checking operating system compatibility
✔ Checking for a MySQL installation
+ sudo systemctl is-active ghost_000-000-000-000
Instance is currently running
ℹ Validating config [skipped]
✔ Checking folder permissions
✔ Checking file permissions
✔ Checking content folder ownership
✔ Checking memory availability

ghost_000-000-000-000 = ghost_ + my server ip address

/bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain myactualdomainhere.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail xxxxxx@xxxxxx.com
Running the command manually gives me the following output without asking me for the password
(I’m not running this actual command, instead I’m running one with my real email and domain)

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Which makes me think there’s a malformed command?

Can you try running just this part?

I’ve been trying to setup this ssl and discovered that there’s a problem with the default setup.
After following this exact setup in a brand new digitalocean ubuntu vm thats what ghost-cli outputs in the ssl step:

--------------- stderr ---------------
[Sun Nov 10 19:04:14 UTC 2019] mydomain.com.br:Verify error:Invalid response from http://mydomain.com.br/.well-known/acme-challenge/bqZl_wF8sE8a7H9wq_iiPptOVUUFpKRmLKgyerpgzdU [2804:10:4062::198:124]: 
[Sun Nov 10 19:04:14 UTC 2019] Please add '--debug' or '--log' to check more details.
[Sun Nov 10 19:04:14 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

I think the big problem here is about let’s encrypt certificate rate limits because I ran the command consecutive times and every time it failed to validate the certificate, blocking my domain from emmiting certificates for a week.

Btw, this is what acme.sh logs after putting --logs in the command line

/etc/letsencrypt/acme.sh: line 2039: /etc/letsencrypt/account.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/account.conf: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
touch: cannot touch '/etc/letsencrypt/http.header': Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 3344: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
[Sun Nov 10 19:17:50 UTC 2019] Only RSA or EC key is supported. keyfile=/etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key
cat: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
[Sun Nov 10 19:17:50 UTC 2019] Please check log file for more details: /etc/letsencrypt/acme.sh.log

I guess this happens because I’m running the command like that:

/etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain mydomain.com.br --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail myemail@gmail.com --log

But if I run it with the default ghost-cli generated command I get the same error as before.
If I run it with a simple ‘sudo’ before, acme.sh warns me that this script should not be ran with sudo.

I would really appreciate some help, thanks!

Check this

Update: I tried to run the command (update acme) from the thread @mskian recommended, but the problem is still happening. (although letsencrypt rate-limited me for another week for too many invalid tries)

Also I tried to configure nginx manually and I could access a file I created in .well-known/acme-challenge via simple http request to the domain without problems.
I watched the file creation in the same directory and the acme confirmation file is being created when executing ghost setup ssl.
Added CAA entry in my domain too.

I would be really grateful if someone could help me in this situation.

I managed to resolve this problem by setting up my ssl certificate manually with nginx and letsencrypt-auto (GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.)

The command I used after cloning letsencrypt repo in /opt/:
/opt/letsencrypt$ ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 --email youremail@here.com -d yourdomainhere.com -d www.yourdomainhere.com

I did this while running in terminal with GNU screen so I could manually create the files required by certbot.
Also I had a properly configured nginx, with listen 443 ssl; in the config file.

By the way, I want to thank everyone that answered this post.

See ya!

Having probably the same issue, error is:

Verify error:Invalid response from https://domain.com/.well-known/acme-challenge/...

I updated letsencrypt, and now I get a different error:

Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error creating new order",
  "status": 500
}

I’ve setup the nginx config file manually and it passed this step (and allowed me to setup the blog), but I still got an error, this time:

Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#'  openssl dhparam -out /etc/nginx/snippets/dhparam.pem 2048
Can't open /etc/nginx/snippets/dhparam.pem for writing, No such file or directory

Solved the above by creating the /etc/nginx/snippets/ folder and now it all worked out.