Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DigitalOcean LetsEncrypt Nginx Config
server {
listen 80;
listen [::]:80;
server_name robertnealan.com;
root /var/www/ghost/system/nginx-root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/robertnealan.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/robertnealan.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = robertnealan.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name robertnealan.com;
return 404; # managed by Certbot
}
@jonopens

This comment has been minimized.

Copy link

jonopens commented Aug 17, 2016

Lines 6 and 42 won't work based on the commands you supply in Step 7 of your guide (below). Certbot will look for .well-known in a place where it doesn't exist.

/opt/certbot-auto certonly --webroot -w /var/www/ghost -d yourdomain.com -d www.yourdomain.com

@dvdme

This comment has been minimized.

Copy link

dvdme commented Oct 7, 2016

Adding to the existing comment replace line 6 and 42 to

root /var/www/ghost;

and it will work.

@robertnealan

This comment has been minimized.

Copy link
Owner Author

robertnealan commented Oct 19, 2016

@jonopens @dvdme — Good catch and sorry for the delayed response (looks like Github doesn't send me emails for Gist comments). Updated the gist and post <code> block.

@leotm

This comment has been minimized.

Copy link

leotm commented Dec 15, 2016

Worked perfectly, thanks.

@NetOperatorWibby

This comment has been minimized.

Copy link

NetOperatorWibby commented Mar 1, 2017

Oh man, THANK YOU for this!

@grantwinney

This comment has been minimized.

Copy link

grantwinney commented Mar 26, 2017

@robertnealan Ghost serves up sitemap.xml and robots.txt files when requested, which are both good to have.

Lines 59-61, when uncommented, break that functionality and prevent those pages from being accessible. I'd leave those lines commented out or just remove them entirely, unless there's a clear reason for wanting to block access to those files.

BTW, awesome guide - thanks so much for writing that up. I followed the DO tutorial once when I was setting up WordPress with Let's Encrypt, and although I got it to work it was more complicated.

@robertnealan

This comment has been minimized.

Copy link
Owner Author

robertnealan commented May 11, 2017

@grantwinney Thanks for the heads up - I actually had someone email me about that issue recently and just got around to digging into it. If I recall they were required for earlier versions of Ghost (circle 0.3.x) when it didn't automatically generate a sitemap.xml or robots.txt. Updating the guide accordingly!

And thanks for the compliments! For how much documentation there is around Ghost nowadays it still seems to be problematic to piece it all together.

@tim-phillips

This comment has been minimized.

Copy link

tim-phillips commented May 16, 2017

Right on! Thanks, this was a breeze to set up.

@ghost

This comment has been minimized.

Copy link

ghost commented Jun 3, 2017

@robertnealan Just wanted to say awesome article. I wanted to throw something in and didn't know of another way to reach out. If you test the strength of the ssl cert issued by this tutorial on ssllabs you get a B. For an easy upgrade to an A just run sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 and drop this into the nginx configssl_dhparam /etc/ssl/certs/dhparam.pem;

That will make for a stronger SSL.

@CGavrila

This comment has been minimized.

Copy link

CGavrila commented Jul 1, 2017

Thanks, Robert. This is awesome. For anyone wondering, this gist is linked in https://robertnealan.com/setting-up-ssl-for-ghost-on-digitalocean-with-lets-encrypt/

@regalstreak

This comment has been minimized.

Copy link

regalstreak commented Jul 10, 2017

Best guide and the one that works for the purpose. Thanks a lot @robertnealan for this!

@robertnealan

This comment has been minimized.

Copy link
Owner Author

robertnealan commented May 23, 2018

Heads up all that I've just updated this Gist and the post to reflect the latest updates in DigitalOcean's Ghost droplet, the new Ghost CLI, and LetsEncrypt's newest CertBot CLI. The archived version of this Gist can be found here: https://gist.github.com/robertnealan/84c8fbe1956244bd2f57c7f0ac7715ab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.