SSL not on www after creating ghost installation in direct url (with no www what ever that is called)

FIRST: Ghost is awesome. I want to fix this and carry on with Ghost.
Apologies about a vague request ealrier, i have added details of the relevant files now.
@MrEngineer13 and whom ever else saw it and shrugged their shoulders. sorry about that earlier structure of the post. I hope below is better now.

I am a Window cleaner, not a super guru on VPS servers and nodejs.
BUT I can read and follow instructions to a reasonable / respectable degree… I think…

I bought a domain tidyglass.co.uk
I bought royce theme.
I got a Linode VPS
I installed ghost as https://tidyglass.co.uk
And I love it. All good to this point. SEO is grand and easy, already getting found for my desired areas/results.
However, I cannot setup www.tidyglass.co.uk as https://
I followed the guide in the Ghost Cli page at Ghost-CLI - A fully loaded tool for installation and configuration changed the url, generated the ssl, then changed the url back to direct https://tidyglass.co.uk and yet with a valid ssl for www it still does not work. I am going off my head here.

So my tidyglass.co.uk-ssl.conf is as follows.

  server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name tidyglass.co.uk;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

    ssl_certificate /etc/letsencrypt/tidyglass.co.uk/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/tidyglass.co.uk/tidyglass.co.uk.key;
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

then I have a tidyglass.co.uk.conf as follows

server {
    listen 80;
    listen [::]:80;

    server_name tidyglass.co.uk;
	
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

for the www entry I created it is as follows (as mentioned above i have ghost config url https://tidyglass.co.uk applied now) and www.tidyglass.co.uk-ssl.conf is

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.tidyglass.co.uk;
	return 301 https://tidyglass.co.uk$request_uri;
}

and the 80 listening conf www.tidyglass.co.uk.conf

server {
    listen 80;
    listen [::]:80;

    server_name www.tidyglass.co.uk;
	return 301 https://tidyglass.co.uk$request_uri;80 listening entry is 
}

So those are my details. Can I get help.
If I fix I vow to create a post that will explain it all for normal mortals than want ghost like me that are also battling this.

Hey @mykleman
Thanks for using Ghost, really glad you’re enjoying the experience . Can I ask why you want to add the “www” domain to your SSL? Personally I would use my domain provider / DNS management tool to redirect the “www” domain to the “naked” domain, which would be tidyglass.co.uk in this case.

Does that make sense? Let me know if you need some more guidance

So I do see that https://tidyglass.co.uk is working with full SSL. I’m wondering if it’s more about the SSL you grabbed rather than the server configuration.

SSL certificates only work for certain domains, but there is something called a wildcard certificate that allows for any subdomain (including www.) to function off the same certificate.

There is a graphic at this website which helps describe that: Generate Wildcard SSL certificate using Let’s Encrypt/Certbot | by Saurabh Palande | Medium

So I’m not sure how exactly you generated your SSL cert, but I’d guess that you need to generate a new one that allows for subdomain including the wildcard configuration in the request.

To be honest though, as @DavidDarnes described, the DNS fix is going to be better for search engine optimization and general user experience.

Thank you for taking the time to reply!
I used the ghost ssl setup service.
Just seemed the easy route.
For me to go onto server and start setting up wildcard ssl is an elaborate adventure I would battle to find the hours for…
Going to try the dns redirect thing
Thank you again for taking the time to read and comment!

Thank you! I will try work out this route. I was ok with setting up my mx records for free zoho mail so I may get this route right if i find the right tutorial. I will start with 123-reg support though.
I did try creating a cname entry www and “destinationing” it to tidyglass.co.uk but it would not accept those values.
But that is a sound suggestion, i really dont need www.
Thank you for the support and just an epic product!

Hey @mykleman I have a feeling you hit a snag with our documentation.

You were absolutely in the right place with

The point of those docs is to switch the URL in Ghost to the www. or other additional domain without restarting Ghost, use ghost setup ssl nginx to trigger generation of a certificate and the nginx files, and then edit them to just redirect. Which I think you did.

However I think this line of the docs is where the issue is:

# Edit the nginx config files for your second domain to redirect to your canonical domain. In both files replace the content of the first location block with:
return 301 https://my-canonical-domain.com$request_uri;

You’ve ended up with the below as your modified www.tidyglass.co.uk-ssl.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.tidyglass.co.uk;
    return 301 https://tidyglass.co.uk$request_uri;
}

Which is missing 3 critical lines for SSL:

    ssl_certificate /etc/letsencrypt/www.tidyglass.co.uk/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/tidyglass.co.uk/www.tidyglass.co.uk.key;
    include /etc/nginx/snippets/ssl-params.conf;

Without these 3 lines, you’re not serving the certificate for the redirect, so it won’t work.

You should be able to fix it by doing either:

1. Edit the file www.tidyglass.co.uk-ssl.conf to put these 3 lines back
2. delete the 2 files www.tidyglass.co.uk.conf & www.tidyglass.co.uk-ssl.conf and then follow the docs again, but leaving the certificate lines in place this time

@DavidDarnes can you look at maybe expanding these docs to make the steps clearer?

@Hannah @DavidDarnes @explore

Thanks to everyone for their help on this. Its been some days but only had time to fix it all up now.

Big shout out to Hannah though for taking the time to outline such a detailed response. That sort of support for a self hosted blog was not expected. I guess that is the result of passion for the product, and well due as well. Ghost is just amazing.
I went with Hannahs route and it worked perfectly. My url even if entered with the www directs as a 301 right over to the https://tidy… url

In future any ghost setups I carry out now I feel confident in making sure their is a uniform address format welcome regardless of which way the site is visited or indexed via search engines.

Been a real pleasure. Many thanks again and hope every one is safe and well.

@mykleman Thank you This message absolutely made my day.

@Hannah, thank you for pointing me to this thread.

For those who must have received emails from my first entry in this thread, I was making a very silly mistake (not switching to the ghost-mgr user), I completely missed that bit (and it’s hard to, first thing you get to read when logging-in via PuTTy…)

Once I figured that out, I was able to follow along without any issues.

All fixed now!

Yeah, I’m also still confused on this. Did we need to make a CNAME to get the www. to point to the naked domain? Or was this an A record with www? I have a feeling that sorting this out will also prevent my administration emails (like password resets) from ending up in my spam folder.

No CNAME entry needed.
My fix (after much patient help from community here)

I followed this Ghost-CLI - A fully loaded tool for installation and configuration
You then should have two *-ssl.conf entries in your nginx active domains dir;
one will be the original url you setup with and the other will be with or without the www .

Then I selected I went to my ghost directory and set the url I wanted as the primary,
I went for the direct link (I hae no idea of the fancy names for these with wwww and without…)
So at the ghost dir I entered this:
ghost config url https://tidyglass.co.uk
Then I went tinto my nginx directory to the active domain with the www identity / name, and edited the ssl.conf entry as I was directed by @Hannah

I left is as is, all I added was the 301 to the conf file.

return 301 https://yourdomainname.domainextension$request_uri;

(Dont remove the certificate lines like I did, even though I was redirecting I didnt realize you dont delete the certificate lines, though most in this forum would understand not to do this)

I restarted all the services and was good to boot.

Hope you come right :)

On the CNAME helping your spam catching the password resets, from my brief experience and little knowledge of setting up zoho mail mx records, I think it would be text or SPF records that would add legitacy to your email domain and avoid it hitting spam folder.

Found this post… seems to explain it well https://blog.maskys.com/enabling-https-and-redirecting-www/

I enjoyed the humour in it ! Thanks for sharing.
I must say I lked the way the ghost team helped me thru it though, and now that understand the mechanics of it I prefer the route of changing ghost url to www regenerating ssl, then reverting back to vanilla https://‘directname’.ext url and just editing the conf file in etc/nginx dir.
However, thank you still for sharing this post. I bookmarked the site, a few good and useful posts there for us ghost site less techy early adopters like me.