Problem setting up ssl

Ghost-CLI version: 1.12.0
Ghost version: 2.30.2 (at /var/www/ghost)
My domain is already configured

When I try to ghost setup ssl in website’s root directory I get this output:

Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#'  /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain myactualdomainhere.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail xxxxxx@xxxxxx.com

Is ‘#node-sudo-passwd#’ supposed to be my password? Is there any way I can fill this value without setting it directly in the source code?

Thank you very much!

Hi @Michel_Calheiros - have you tried running ghost doctor?

Also, have you authenticated as your sudo user? For example, by running sudo apt update and then running the ghost commands?

No, Ghost will ask you for your sudo password and proxy it to the sudo command. It’s used as a placeholder

If ghost doctor is all green, you might try running the command manually to see what the issue is. The CLI usually handles most errors so it’d be interesting to see what fails here

1 Like

Important detail: I’m using the ghost image from DigitalOcean one click deploy and I’m using the ghost-mgr auto created user to run the commands.

ghost doctor output:

✔ Checking system Node.js version
✔ Checking logged in user
✔ Ensuring user is not logged in as ghost user
✔ Checking if logged in user is directory owner
✔ Checking current folder permissions
✔ Checking operating system compatibility
✔ Checking for a MySQL installation
+ sudo systemctl is-active ghost_000-000-000-000
Instance is currently running
ℹ Validating config [skipped]
✔ Checking folder permissions
✔ Checking file permissions
✔ Checking content folder ownership
✔ Checking memory availability

ghost_000-000-000-000 = ghost_ + my server ip address


/bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain myactualdomainhere.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail xxxxxx@xxxxxx.com
Running the command manually gives me the following output without asking me for the password
(I’m not running this actual command, instead I’m running one with my real email and domain)

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Which makes me think there’s a malformed command?

Can you try running just this part?

I’ve been trying to setup this ssl and discovered that there’s a problem with the default setup.
After following this exact setup in a brand new digitalocean ubuntu vm thats what ghost-cli outputs in the ssl step:

--------------- stderr ---------------
[Sun Nov 10 19:04:14 UTC 2019] mydomain.com.br:Verify error:Invalid response from http://mydomain.com.br/.well-known/acme-challenge/bqZl_wF8sE8a7H9wq_iiPptOVUUFpKRmLKgyerpgzdU [2804:10:4062::198:124]: 
[Sun Nov 10 19:04:14 UTC 2019] Please add '--debug' or '--log' to check more details.
[Sun Nov 10 19:04:14 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

I think the big problem here is about let’s encrypt certificate rate limits because I ran the command consecutive times and every time it failed to validate the certificate, blocking my domain from emmiting certificates for a week.

Btw, this is what acme.sh logs after putting --logs in the command line

/etc/letsencrypt/acme.sh: line 2039: /etc/letsencrypt/account.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/account.conf: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
touch: cannot touch '/etc/letsencrypt/http.header': Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2032: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 2071: /etc/letsencrypt/mydomain.com.br/mydomain.com.br.conf: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 3344: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
[Sun Nov 10 19:17:50 UTC 2019] Only RSA or EC key is supported. keyfile=/etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key
cat: /etc/letsencrypt/ca/acme-v02.api.letsencrypt.org/account.key: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
/etc/letsencrypt/acme.sh: line 234: /etc/letsencrypt/acme.sh.log: Permission denied
[Sun Nov 10 19:17:50 UTC 2019] Please check log file for more details: /etc/letsencrypt/acme.sh.log

I guess this happens because I’m running the command like that:

/etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain mydomain.com.br --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail myemail@gmail.com --log

But if I run it with the default ghost-cli generated command I get the same error as before.
If I run it with a simple ‘sudo’ before, acme.sh warns me that this script should not be ran with sudo.

I would really appreciate some help, thanks!

Check this

I don’t need to renew my certificate. I can’t even issue the certificate, as the verification is always failing.
Not sure on what to do about it anymore. Tried to follow the official ghost+nginx documentation more than 5 times with new vms, configured my domain correctly and still cant make it work.