slug: lets-encrypt-for-ghost-blog-on-ngnix-digitalocean datepublished: 2015-12-08T23:29:09 dateupdated: 2017-12-30T07:47:35 tags: Tech Ideas, English Posts excerpt: "Problem 1 I encountered, The server could not connect to the client for DV. This is caused by my DNS service provider which is DNSPod – A Chinese firm. Don't really know what happened but seems like Google can't get DNS reply either. So if you see pops out, switch to another DNS provider." –-
Image: Let's Encrypt
Thanks to: Santoshsrinivas
Prepare Your VPS' Environment
Find a directory suitable, say, home directory cd ~/ and install letsencrypt
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
Obtain Certificate
Problem 1 I encountered: The server could not connect to the client for DV. This is caused by my DNS service provider which is DNSPod – A Chinese firm. Don't really know what happened but seems like Google can't get DNS reply either. So if you see pops out, switch to another DNS provider.
Also, you need to shut downs Nginx temporarily so that port 80 can be used.
sudo service nginx stop
Then you can generate certificate, following the instructions that will appear in terminal as you proceed.
Note: ***Domain name is the website address, for me, it would be blog.moelf.xyz instead of moelf.xyz***
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth
Then you will be greeted as the following according to santoshsrinivas which I actually saw a shorter version for no obvious reason:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to MYEMAIL@MYDOMAIN.COM.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/santoshsrinivas.com/fullchain.pem. Your cert
will expire on 2016-03-03. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leSetup Nginx for 443 ssl
You can find your Nginx config file at /etc/nginx/site-available/ghost.conf. My version of it:
erver {
listen [::]:80;
listen 80;
server_name moelf.xyz blog.moelf.xyz;
return 301 https://blog.moelf.xyz$request_uri;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass [http://127.0.0.1](http://127.0.0.1):{YOUR GHOST PORT};
}
}
server {
server_name blog.moelf.xyz; # Replace with your domain
access_log /var/log/nginx/www_ss.log;
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
server_name moelf.xyz;
ssl_certificate /etc/letsencrypt/live/blog.moelf.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.moelf.xyz/privkey.pem;
include /etc/nginx/h5bp/h5bp/directive-only/ssl.conf;
include /etc/nginx/h5bp/h5bp/directive-only/ssl-stapling.conf;
include /etc/nginx/h5bp/h5bp/directive-only/spdy.conf;
location / {
proxy_pass [http://localhost](http://localhost):{YOUR GHOST PORT};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}Three lines of include was confusing for me as well. What you can do is clone this h5bp repo and place files inside /etc/nginx/ filder as I did. santoshsrinivas used something like include h5bp/directive-only/ssl.conf; which I can't figure our where should I put the folder at so I instead use the absolute path.
Restart Nginx
sudo service nginx restart and your Ghost Blog should be running with HTTPS.