When you follow the instructions from EFF on using CertBot [1] on setting Ghost up using Nginx, and hit this step:
certbot-auto
You may hit this error message:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.com
Type: unauthorized
Detail: Invalid response from
If so, it's probably because the standard Nginx configuration that DigitalOcean gives you with their one-click install only has one location block:
location / {
proxy_pass http://localhost:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
The result is that any and all URLs, whether they resolve to a document or 404 (this is the key part) will be handled by Ghost, including the URLs that CertBot is trying to temporarily create, i.e. /.well-known/acme-challenge/yadayadayada
To fix this, create a directory accessible via Nginx to store its temporary files, for example /var/www/thing
Then add this little block to your Nginx config:
location ~ /.well-known {
allow all;
}
Update August 19, 2016: snagged the above from Digital Ocean's document on setting up Let's Encrypt with Nginx. If you need help with more of the process than I describe here, best head over there for more support.
Run CertBot again, and you should be squared away:
/opt/certbot-auto certonly --webroot -w /var/www/things -d example.com -d www.example.com
Work for you? Let me know. You also might consider donating to EFF for making this whole thing happen. The process really is painless, and free.
[1] Certbot logo used with permission.