Setting up Let's Encrypt on Ghost with Nginx

When you follow the instructions from EFF on using CertBot [1] on setting Ghost up using Nginx, and hit this step:

  
  
certbot-auto  
  

You may hit this error message:

  
  
IMPORTANT NOTES:  
 - The following errors were reported by the server:
   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
  

If so, it's probably because the standard Nginx configuration that DigitalOcean gives you with their one-click install only has one location block:

  
location / {  
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
  

The result is that any and all URLs, whether they resolve to a document or 404 (this is the key part) will be handled by Ghost, including the URLs that CertBot is trying to temporarily create, i.e. /.well-known/acme-challenge/yadayadayada

To fix this, create a directory accessible via Nginx to store its temporary files, for example /var/www/thing

Then add this little block to your Nginx config:

  
  
location ~ /.well-known {  
    allow all;
}
  

Update August 19, 2016: snagged the above from Digital Ocean's document on setting up Let's Encrypt with Nginx. If you need help with more of the process than I describe here, best head over there for more support.

Run CertBot again, and you should be squared away:

  
/opt/certbot-auto certonly --webroot -w /var/www/things -d example.com -d www.example.com
  

Work for you? Let me know. You also might consider donating to EFF for making this whole thing happen. The process really is painless, and free.

[1] Certbot logo used with permission.