Site not Secured and Critical Security Update persisting

Hi everyone,

I updated Ghost to the latest version, but when accessing my url on browser “https://ryan-fernando.com” but it says that the site is not secure.

Plus, when I access https://ryan-fernando.com/ghost there’s a huge banner that I can’t get rid of, even when updating multiple times. " Critical security update available — please update Ghost as soon as possible. Details here."

Please help, I think that might be the reason why my site is deemed not secure.

The reason you (and I) see the warning is that the site isn’t configured correctly for https, and the installed certificate is invalid.

How did you setup https? You don’t appear to have used the Ghost options that setup nginx and install LetsEncrypt certificates. The certificate comes from zerossl.com.

You should be able to sort this by running ghost setup ssl. If you wish to use an alternative certificate you’ll need to get an up-to-date certificate and manually configure nginx.

Thanks for your reply @mjw !

I set up https as per indicated in the documentation.

I did run the “ghost setup ssl” command and I get the following:

SSL has already been set up, skipping

:information_source: Setting up SSL [skipped]

Any more ideas please? I tried everything

Okay, I now understand that Ghost uses ZeroSSL not LetsEncrypt (I use neither and wasn’t aware of this change), so the certificate should be fine, except for the fact that it hasn’t auto-renewed.

Common Name (CN)	ryan-fernando.com
Organisation (O)	<Not Part Of Certificate>
Organisational Unit (OU)	<Not Part Of Certificate>
Common Name (CN)	ZeroSSL RSA Domain Secure Site CA
Organisation (O)	ZeroSSL
Organisational Unit (OU)	<Not Part Of Certificate>
Issued On	Saturday, 23 October 2021 at 01:00:00
Expires On	Friday, 21 January 2022 at 23:59:59

Can you run…

sudo crontab -u root -l

…and share the output. I’m uncertain if certbot works with ZeroSSL, but you should be able to renew the certificate with acme.sh -f -r -d https://ryan-fernando.com.

Your nginx config could be improved, too, since http requests do not redirect to https.

Hey, thanks for the reply!

I ran the command and this is the output:

30 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/nul

Okay, that looks fine. I’m not certain why the certificate hasn’t updated, but you can try the following from your Ghost directory.

ghost setup ssl-renew
sudo su
"/etc/letsencrypt"/acme.sh --upgrade --home "/etc/letsencrypt"
"/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" --debug --log

This will update your certificate using Ghost cli, upgrade acme.sh, and finally, run the cron job to renew certificates.

When running the last command, I got this :

[Sun Feb 20 22:28:20 UTC 2022] Return code: 1

[Sun Feb 20 22:28:20 UTC 2022] **Error renew www.ryan-fernando.com.**

[Sun Feb 20 22:28:20 UTC 2022] _error_level='1'

[Sun Feb 20 22:28:20 UTC 2022] _set_level='2'

[Sun Feb 20 22:28:20 UTC 2022] The NOTIFY_HOOK is empty, just return.

[Sun Feb 20 22:28:20 UTC 2022] **===End cron===**

You are using the naked domain, and www is not configured, or unreachable. This is why the certificate hasn’t renewed.

Sorry, I’m a total noob.

So how can I resolve that?