Failed SSL Check while running LetsEncrypt on a new domain and fresh Ghost installation
Linode
Linode Staff
I'm trying to setup an SSL certificate on a new domain. I followed the Ghost documentation on installation, but I'm stuck with setting up the SSL cert for the domain. The output I'm seeing when it fails is:
One or more errors occurred.
ProcessError
Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain exampledomain.com.uk --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail someoneelse@exampledomain.com.uk
[Sat Jun 29 20:51:16 UTC 2019] exampledomain.com.uk:Verify error:Invalid response from http://exampledomain.com.uk/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [123.45.67.89]:
[Sat Jun 29 20:51:16 UTC 2019] Please add '--debug' or '--log' to check more details.
[Sat Jun 29 20:51:16 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sat Jun 29 20:51:12 UTC 2019] Create account key ok.
[Sat Jun 29 20:51:12 UTC 2019] Registering account
[Sat Jun 29 20:51:13 UTC 2019] Registered
[Sat Jun 29 20:51:13 UTC 2019] ACCOUNT_THUMBPRINT='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
[Sat Jun 29 20:51:13 UTC 2019] Creating domain key
[Sat Jun 29 20:51:13 UTC 2019] The domain key is here: /etc/letsencrypt/exampledomain.com.uk/exampledomain.com.uk.key
[Sat Jun 29 20:51:13 UTC 2019] Single domain='exampledomain.com.uk'
[Sat Jun 29 20:51:13 UTC 2019] Getting domain auth token for each domain
[Sat Jun 29 20:51:14 UTC 2019] Getting webroot for domain='exampledomain.com.uk'
[Sat Jun 29 20:51:14 UTC 2019] Verifying: exampledomain.com.uk
Exit code: 1
Debug Information:
OS: Ubuntu, v18.04
Node Version: v10.16.0
Ghost-CLI Version: 1.11.0
Environment: production
Command: 'ghost install'
Additional log info available in: /home/admin/.ghost/logs/ghost-cli-debug-2020-06-29T20_51_21_642Z.log
That log information is:
cat .ghost/logs/ghost-cli-debug-2019-06-29T20_51_21_642Z.log
Debug Information:
OS: Ubuntu, v18.04
Node Version: v10.16.0
Ghost-CLI Version: 1.11.0
Environment: production
Command: 'ghost install'
Message: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain exampledomain.com.uk --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail someoneelse@exampledomain.com.uk
[Sat Jun 29 20:51:16 UTC 2019] exampledomain.com.uk:Verify error:Invalid response from http://exampledomain.com.uk/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [123.45.67.89]:
[Sat Jun 29 20:51:16 UTC 2019] Please add '--debug' or '--log' to check more details.
[Sat Jun 29 20:51:16 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sat Jun 29 20:51:12 UTC 2019] Create account key ok.
[Sat Jun 29 20:51:12 UTC 2019] Registering account
[Sat Jun 29 20:51:13 UTC 2019] Registered
[Sat Jun 29 20:51:13 UTC 2019] ACCOUNT_THUMBPRINT='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
[Sat Jun 29 20:51:13 UTC 2019] Creating domain key
[Sat Jun 29 20:51:13 UTC 2019] The domain key is here: /etc/letsencrypt/exampledomain.com.uk/exampledomain.com.uk.key
[Sat Jun 29 20:51:13 UTC 2019] Single domain='exampledomain.com.uk'
[Sat Jun 29 20:51:13 UTC 2019] Getting domain auth token for each domain
[Sat Jun 29 20:51:14 UTC 2019] Getting webroot for domain='exampledomain.com.uk'
[Sat Jun 29 20:51:14 UTC 2019] Verifying: exampledomain.com.uk
Exit code: 1
--------------- stdout ---------------
[Sat Jun 29 20:51:12 UTC 2019] Create account key ok.
[Sat Jun 29 20:51:12 UTC 2019] Registering account
[Sat Jun 29 20:51:13 UTC 2019] Registered
[Sat Jun 29 20:51:13 UTC 2019] ACCOUNT_THUMBPRINT='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
[Sat Jun 29 20:51:13 UTC 2019] Creating domain key
[Sat Jun 29 20:51:13 UTC 2019] The domain key is here: /etc/letsencrypt/exampledomain.com.uk/exampledomain.com.uk.key
[Sat Jun 29 20:51:13 UTC 2019] Single domain='exampledomain.com.uk'
[Sat Jun 29 20:51:13 UTC 2019] Getting domain auth token for each domain
[Sat Jun 29 20:51:14 UTC 2019] Getting webroot for domain='exampledomain.com.uk'
[Sat Jun 29 20:51:14 UTC 2019] Verifying: exampledomain.com.uk
--------------- stderr ---------------
[Sat Jun 29 20:51:16 UTC 2019] exampledomain.com.uk:Verify error:Invalid response from http://exampledomain.com.uk/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [123.45.67.89]:
[Sat Jun 29 20:51:16 UTC 2019] Please add '--debug' or '--log' to check more details.
[Sat Jun 29 20:51:16 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
1 Reply
watrick
Linode Staff
I did some digging into the error messages you are seeing here.
Based on the error message:
Message: Command failed: /bin/sh -c sudo -S -p ‘#node-sudo-passwd#’ /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --domain
I found a couple posts, one on Ghost's forum and the other of LetsEncrypt, but were either unanswered or didn't have a clear conclusion:
- https://forum.ghost.org/t/ssl-ceritificate-not-renewing/7058
- https://community.letsencrypt.org/t/unable-to-generate-cert-acme-sh-certbot-on-ghost-installation/87526/9
Hitting a wall with that error, I dug into this one:
error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c
This is where I think I hit something:
https://stackoverflow.com/questions/54690399/openssl-client-authentication-fails-with-expecting-trusted-certificate
Based on this, it appears the issue is related to TLS checks on OpenSSL. There is a problem with the admin-c-auth-ca-cert.crt file not having the right content or format. The linked post above provides some further details on steps to take on converting that to PEM, which solved the issue for the person who had similar issues, based on the error messages.