SSL Invalid Response with Setup

I’ve seen a few posts on this, but none of them seem to fix this issue that i’m having running ghost setup ssl. I suspect this is because I tried to setup ssl during initial ghost install, however my domain was still propogating so it didn’t install properly, so now when I try to run it, I get Invalid response from http://admin.mydomain.com/.well-known/acme-challenge

Perhaps there is/needs to be a way to do ghost delete ssl and start over? Or is there another approach besides trying to upgrade letsencrypt/acme.sh? That didn’t work for me.

$ ghost setup ssl
? Enter your email (For SSL Certificate) stuart@myemail.com
+ sudo /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --        
webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com
✖ Setting up SSL
One or more errors occurred.

1) ProcessError

Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#'  /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com
[Thu Apr 16 18:26:25 UTC 2020] admin.mydomain.com:Verify error:Invalid response from http://admin.mydomain.com/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [18.218.36.148]:
[Thu Apr 16 18:26:25 UTC 2020] Please add '--debug' or '--log' to check more details.
[Thu Apr 16 18:26:25 UTC 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

If ssl isn’t set up, there’s nothing to delete. Based on the output from the logs, it looks like your domain still isn’t set up

Ok. I was confused as to why there’s a /etc/letsencrypt/admin.mydomain.com directory. But if it’s not setup at all, then what could be the source of the error? I haven’t done anything strange. I followed the Ubuntu install docs.

Should there be a directory under /var/www/ghost like .well-known/acme-challenge/? Or how does that get resolved? When I put the full path into a browser I get a 404.

acme.sh internally handles all of this. Ghost provides the webroot (it’s in system/files iirc) to the script and the script handles creating and removing any files. The script is installed in /etc/letsencrypt

Thanks, @vikaspotluri123 I appreciate your help.

Something must serve up the file http://mydomain.com/.well-known/acme-challenge/. The only reference I can find anywhere to “well-known” is in system/files/mydomain.conf

location ~ /.well-known {
   allow all;
}

Ghost doesn’t create system/files/.well-known even on a fresh ghost install following the Ubuntu instructions.

So either ghost or acme.sh is responsible for creating this, but I don’t know which and I don’t know how to resolve it. I can’t find any references to it in the github code.

Any ideas?

That’s correct, acme.sh does. You can try running the command manually

/bin/sh -c sudo -S /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com

Yes @vikaspotluri123, this is precisly the command that does not work because it is looking for:

Verify error:Invalid response from http://admin.mydomain.com/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Which if you put it in a browser gives a 404

acme.sh creates this file when LE asks for it, and regardless of the result deletes it

@vikaspotluri123 Turns out it was an issue with ghost.

In ghost/system/files/mydomain.com.conf I noticed this peculiar line:

server {
    listen 80;
    listen [::]:80;

    server_name admin.tusklegacy.com;
    root /var/www/ghost #system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

So I uncommented it and turned it into:

server {
    listen 80;
    listen [::]:80;

    server_name admin.tusklegacy.com;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

And it worked!

I believe either the script should change to automatically do this OR it should be written in the documentation. If it is, I can’t seem to find it.

That’s really weird! You can see the template that the CLI uses to generate config files here:

Moreover, nginx should have complained about the config file since root /var/www/ghost #... isn’t valid syntax :confused:

Whatever the case, I’m glad you got it working :tada:

Is not the command

ghost setup nginx ssl

Next time I’ll try that. The docs I was following had ghost setup ssl. But I got it working anyway.

During the execution of ghost install, Setting up SSL failed, and the error is as follows:

1) ProcessError

Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --server letsencrypt --domain ifree.love --webroot /var/www/ifree.love/system/nginx-root --reloadcmd "nginx -s reload" --accountemail xxx@example.com
[Wed 22 Mar 2023 11:03:53 AM CST] iffree.love:Verify error:182.160.6.95: Invalid response from http://ifree.love/.well-known/acme-challenge/KbiMB863ztprY40D9uAOM1aC6IB_gNl3-kYWU2Lp40Q:
[Wed 22 Mar 2023 11:03:53 AM CST] Please add '--debug' or '--log' to check more details.
[Wed 22 Mar 2023 11:03:53 AM CST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

[Wed 22 Mar 2023 11:03:47 AM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Mar 2023 11:03:47 AM CST] Create account key ok.
[Wed 22 Mar 2023 11:03:47 AM CST] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Wed 22 Mar 2023 11:03:48 AM CST] Registered
[Wed 22 Mar 2023 11:03:48 AM CST] ACCOUNT_THUMBPRINT='FyfQubkq7KUn3fHsqooZmhKctgFpFtXJsIyJzkT8gtU'
[Wed 22 Mar 2023 11:03:48 AM CST] Creating domain key
[Wed 22 Mar 2023 11:03:48 AM CST] The domain key is here: /etc/letsencrypt/ifree.love/ifree.love.key
[Wed 22 Mar 2023 11:03:48 AM CST] Single domain='ifree.love'
[Wed 22 Mar 2023 11:03:49 AM CST] Getting domain auth token for each domain
[Wed 22 Mar 2023 11:03:50 AM CST] Getting webroot for domain='ifree.love'
[Wed 22 Mar 2023 11:03:50 AM CST] Verifying: iffree.love
[Wed 22 Mar 2023 11:03:50 AM CST] Pending, The CA is processing your order, please just wait. (1/30)

Exit code: 1

How should I solve it?

I have executed related commands of acme before, is it related?

sudo curl https://get.acme.sh | sh -s email=xxx@example.com

acme.sh --register-account --server zerossl \
         --eab-kid xALY5uL-qU5cS7RwfA_QEA \
         --eab-hmac-key KetWJRV42GUfCznQWDci9_rddZbAXLYNESlK0RcfjJ4c6FaQVx7BRaD_kjwwq0BnYK2JrduCW6tCljwvSxRpeQ

Where is ghost/system/files/mydomain.com.conf? I did not find it.