Hello,
when I write address devopsowy.pl - everything is ok - my web is secure but when I use www.devopsowy.pl I got unsecure connection with error NET::ERR_CERT_COMMON_NAME_INVALID. When I installed Ghost, I wrote my website address: https://devopsowy.pl - maybe is it problem? How can I fix it - can I modify my current SSL cert from Let’s Encrypt? If no, how can I generate new for my web - is it possible with Ghost CLI ?
Thank you and best regards!
Hi, I’m having this problem too. You have to go through a bit of a roundabout process apparently, outlined here:
(search the page for the section “SSL for additional domains”)
My problem, that I expect you will next encounter, is that once you get to the section where you set up the www version of the site with
ghost setup nginx ssl
I get told that the ssl config already exists, so the creation is skipped. However, looking at my /etc/nginx/sites-enabled, the ssl config only exists for the non-www version of the site. The config for the www version of the site is there, but it is not ssl enabled. I’m familiar with nginx and so I’m debating just adding tonfig manually, but I think it is a bit dumb to have to do this, and I also think that the documented process can easily be proven to be broken by attempting to complete these steps. I am using the Digital Ocean droplet, for the record.
Thanks justishar1. That’s works! But I have one question - when I use https://www.devopsowy.pl I have other SSL Cert than https://devopsowy.pl - is it possible to using just one cert?
The web does support WILDCARD certificates (you can search for details) e.g. *.mydomain.com - but I don’t think these would work for www.xyz.com and xyz.com because the second name is missing the . part of the certificate, and you cannot register *mydomain.com for obvious reasons.
In any case, I think you have to pay a decent amount from one of the Certificate Authorities to get a WILDCARD.
It is just easier to have two domains and two certificates.
You might also find that the version of certbot that comes with your distribution is more reliable than the ghost-cli certificate management.
It can be tricky to integrate the ghost-cli certificate management into reliable secure NGINX auto-renewal.