SSL Invalid Response with Setup

I’ve seen a few posts on this, but none of them seem to fix this issue that i’m having running ghost setup ssl. I suspect this is because I tried to setup ssl during initial ghost install, however my domain was still propogating so it didn’t install properly, so now when I try to run it, I get Invalid response from http://admin.mydomain.com/.well-known/acme-challenge

Perhaps there is/needs to be a way to do ghost delete ssl and start over? Or is there another approach besides trying to upgrade letsencrypt/acme.sh? That didn’t work for me.

$ ghost setup ssl
? Enter your email (For SSL Certificate) stuart@myemail.com
+ sudo /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --        
webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com
✖ Setting up SSL
One or more errors occurred.

1) ProcessError

Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#'  /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com
[Thu Apr 16 18:26:25 UTC 2020] admin.mydomain.com:Verify error:Invalid response from http://admin.mydomain.com/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [18.218.36.148]:
[Thu Apr 16 18:26:25 UTC 2020] Please add '--debug' or '--log' to check more details.
[Thu Apr 16 18:26:25 UTC 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

If ssl isn’t set up, there’s nothing to delete. Based on the output from the logs, it looks like your domain still isn’t set up

Ok. I was confused as to why there’s a /etc/letsencrypt/admin.mydomain.com directory. But if it’s not setup at all, then what could be the source of the error? I haven’t done anything strange. I followed the Ubuntu install docs.

Should there be a directory under /var/www/ghost like .well-known/acme-challenge/? Or how does that get resolved? When I put the full path into a browser I get a 404.

acme.sh internally handles all of this. Ghost provides the webroot (it’s in system/files iirc) to the script and the script handles creating and removing any files. The script is installed in /etc/letsencrypt

Thanks, @vikaspotluri123 I appreciate your help.

Something must serve up the file http://mydomain.com/.well-known/acme-challenge/. The only reference I can find anywhere to “well-known” is in system/files/mydomain.conf

location ~ /.well-known {
   allow all;
}

Ghost doesn’t create system/files/.well-known even on a fresh ghost install following the Ubuntu instructions.

So either ghost or acme.sh is responsible for creating this, but I don’t know which and I don’t know how to resolve it. I can’t find any references to it in the github code.

Any ideas?

That’s correct, acme.sh does. You can try running the command manually

/bin/sh -c sudo -S /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain admin.mydomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail stuart@myemail.com

Yes @vikaspotluri123, this is precisly the command that does not work because it is looking for:

Verify error:Invalid response from http://admin.mydomain.com/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Which if you put it in a browser gives a 404

acme.sh creates this file when LE asks for it, and regardless of the result deletes it

@vikaspotluri123 Turns out it was an issue with ghost.

In ghost/system/files/mydomain.com.conf I noticed this peculiar line:

server {
    listen 80;
    listen [::]:80;

    server_name admin.tusklegacy.com;
    root /var/www/ghost #system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

So I uncommented it and turned it into:

server {
    listen 80;
    listen [::]:80;

    server_name admin.tusklegacy.com;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

And it worked!

I believe either the script should change to automatically do this OR it should be written in the documentation. If it is, I can’t seem to find it.

That’s really weird! You can see the template that the CLI uses to generate config files here:

Moreover, nginx should have complained about the config file since root /var/www/ghost #... isn’t valid syntax :confused:

Whatever the case, I’m glad you got it working :tada:

Is not the command

ghost setup nginx ssl

Next time I’ll try that. The docs I was following had ghost setup ssl. But I got it working anyway.