Upgrading LetsEncrypt Certificates for Ghost

A self-hosted Ghost blog can and should be using HTTPS encryption. One of the nice things about Ghost is that it automates the management of the certificates needed for HTTPS by using LetsEncrypt. However, recent updates in the last year have broken this automation.

Running into this means seeing a dreaded 'This site is not who they say they are' page!

Luckily there is an easy fix to make sure that not only are the certificates still valid and but also the site is using latest versions of the update software.

Updating the Certificates

To get right to it, here are the all the steps to take. This assumes that Ghost is installed on a Debian based system (Ubuntu for instance) and that Ghost CLI is installed and in use (This is the default when installing Ghost).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Login as the user Ghost is running as (cat /etc/group and browse for the ghost user)
# or just be root, if the user was root, by adding `sudo` in front of the commands. In most cases it will be 'ghost'
su ghost

# Verify your Ghost site is using LetsEncrypt still
# Your site should be listed here
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --list

# Attempt to get a new certificate. Note THIS should error if the above issue in automation is occurring. Replace YOUR_DOMAIN.COM with, well, your domain.
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --renew -d YOUR_DOMAIN.COM

# Assuming that had an error, you likely need the latest 'acme' tool!
/etc/letsencrypt/acme.sh --upgrade --home "/etc/letsencrypt"

# Should finish with 
#[XXXXXXX] Install success!
#[XXXXXXX] Upgrade success!

# Now upgrade with Success this time!
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --renew -d YOUR_DOMAIN.COM

What happened, How does this fix Ghost certs?

Ghost installs the ACME LetsEncrypt tool and then installs a periodic cron-job to keep the certificates updated. However, LetsEncrypt in 2019 September moved where the API would live for this. So now, the cron-job is failing and the certificates are no longer going to be updated. Eventually, this will cause the TLS handshake to break and the sit will fail to load as expected.

What we’ve done above is update the LetsEncrypt ACME tool to the latest version which contains the new API for keeping the certificate up to date. From this point forward, the site should stay encrypted!

Resources

  1. New API blog post
  2. ACME.sh
  3. How TLS Handshakes Work
  4. LetsEncrypt Forum Solution - Accessed Jan 2020
  5. Ghost Forum Chat - No Solution - Accessed Jan 2020