Use Amazon certificate with Route53 instead of LetsEncrypt

paulrberg · August 11, 2020, 6:18pm

Description

I managed to successfully set up Ghost with SSL via the official integration with LetsEncrypt, but now I want to move over to a certificate issued by Amazon and a domain managed via Route53 and CloudFront.

What I tried doing:

Keep my blog as it is and only point the A record to the CloudFront distribution. Didn’t work.
Uninstall and reinstall Ghost. Didn’t work.
Start with a clean-slate EC2 (uninstall mysql, nginx, etc.) and reinstall Ghost. Didn’t work.

I’m shown the default nginx home page on paulrberg.com and “404 Not Found” on paulrberg.com/ghost:

Notes:

I did not answer with “yes” when the Ghost CLI asked me if I want SSL via LetsEncrypt.
I tried changing the URL via ghost config url a couple of times, nothing worked.
I disabled the cache in the CloudFront distribution settings, even if I think that this isn’t related. I can see the same nginx default page if I access the IP of the EC2 directly.

Is this not doable with Ghost? Can I use SSL only via the integration with LetsEncrypt?

Environment

ubuntu@18.04
node@12.18.3
mysql@5.7
ghost@1.14.1

paulrberg · August 12, 2020, 2:27pm

I’ve done more debugging on this and I concluded that the effort is not worth it. I’ll stick with the LetsEncrypt certificate.

I suspect that the issue is the nginx configuration. The way Ghost provides may not be compatible with an Amazon certificate coupled with Route53 and CloudFront.

Here’s my paulrberg.com.conf file:

server {
    listen 80;
    listen [::]:80;

    server_name paulrberg.com;
    root /var/www/ghost/system/nginx-root; # Used for acme.sh SSL verification (https://acme.sh)

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

I don’t understand why there is a reference to acme.sh in root var/www/ since I didn’t opt-in to enable SSL in the initial Ghost setup.

paulrberg · August 13, 2020, 9:14am

I finally managed to make it work!! There was a mash-up of bugs that I had to identify and patch, such as ERR_TOO_MANY_REDIRECTS, nginx misconfigs and SSL errors.

If I had followed your CloudFront Subdirectory Setup, setting this up would’ve taken much less time.

Perhaps it would be worth it to mention in the docs that this CloudFront setup is not only applicable to a subdirectory, but to a whole website hosted independently on EC2?