SSL did not auto-renew and it's saying Domain not pointing to correct IP

My domain is: https://blog.sellerssuite.com

Issue:
My ssl auto-renew didn’t work. So I attempted to manually renew the SSL. However, I kept getting this error. So I figured there was something wrong with the setup.I did a fresh instance and I’m still getting this error.

I’m using Route53 and I’m sure the correct IP address is showing and the DNS has propagated - you can see here https://dnschecker.org/#A/blog.sellerssuite.com

It produced this output:
Your domain name is not pointing to the correct IP address of your server, check your DNS has propagated and run ghost setup ssl again

My web server is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Has anyone experienced this issue? Any idea how to solve it?

Can you please provide the full output from ghost-cli, including any debug logs?

Full Output:
? Enter your email (For SSL Certificate) [email]

  • sudo /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain blog.sellerssuite.com --webroot /var/www/ghost/system/nginx-root --reloadcmd “nginx -s reload” --accountemail [email]
    :heavy_multiplication_x: Setting up SSL
    One or more errors occurred.
  1. SystemError

Message: Your domain name is not pointing to the correct IP address of your server, check your DNS has propagated and run ghost setup ssl again

Debug Information:
OS: Ubuntu, v18.04
Node Version: v10.16.3
Ghost-CLI Version: 1.11.0
Environment: production
Command: ‘ghost setup ssl’

This is the only log that I’m seeing:

  • sudo systemctl is-active ghost_blog-sellerssuite-com

Sorry for the trouble. It was a security group setting. I wasn’t allowing access to port 80. I guess it needed that to new the SSL cert.

Certbot aka letsencrypt use http - port 80 for renewals. The ghost ssl certificate acme.sh is an old version with customisations - but I expect it has the same restriction.

You have to be a bit careful to keep http access to the .well-known folder available.

The certbot force-to-ssl for nginx is a poor implementation as it uses an IF statement - nginx IF statements should be avoided wherever possible.