Since I spent some time figuring out what’s going on (and was in the middle of asking for help here), I’m posting here a problem and the solution I found.
Basically I was unable to get an SSL connection working to my ghost instance (tried with different versions of ghost). What was really strange, HTTPS was working on Safari, instead on Chrome I had ERR_SSL_PROTOCOL_ERROR and on Firefox SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET.
I have a server on Digital Ocean with Ubuntu and nginx, with some sites on it (not just the ghost instance). Before using ghost-cli I had secured my site following an online guide that make use of letsencrypt and certbot.
After configuring ghost with the ghost-cli I had the problem mentioned before (HTTPS working only on Safari and not with Chrome and Firefox). Incognito mode was serving me the HTTP version of the site.
After a lot of research (since I’m not so confident with SSL) I stumble on this thread that explain
ssl_session_tokens off breaks if it’s not set the same for all ssl-enabled server{} blocks. So if you have 2 server configurations and and you have ssl_server_tokens set to on in one (which is the default so it counts even if you omit it) and set to off in another, it will break the one where it’s set to off in certain browsers. The easiest way to resolve this, unless you have multiple http{} blocks, is to just set it to off in the http{} block. I have not tested to see if you you can have different settings in different http{} blocks as I haven’t had need to set up more than one http{} block.
So that was the problem!!
In my nginx configuration I had one block managed by Certbot for one site with
include /etc/letsencrypt/options-ssl-nginx.conf;
instead the ghost-cli created block for the ghost instance was
include /etc/nginx/snippets/ssl-params.conf;
Basically I was using 2 different ssl configurations. What magically solved my problem was point also the other nginx configuration to the same .conf file (/etc/nginx/snippets/ssl-params.conf;). Now Chrome, Firefox and Safari are working with HTTPS.