Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL certificate generation fails due to renewal, but CLI thinks everything is okay and continues #309

Closed
kirrg001 opened this issue Jul 7, 2017 · 4 comments · Fixed by #316
Closed

SSL certificate generation fails due to renewal, but CLI thinks everything is okay and continues #309

kirrg001 opened this issue Jul 7, 2017 · 4 comments · Fixed by #316
Labels
bug

Comments

@kirrg001
Copy link
Contributor

kirrg001 commented Jul 7, 2017

I ran into the following situation.

I was prompted for ssl certificate generation and hitted "yes"

? Enter your email (used for SSL certificate generation) kate@ghost.org
Running sudo command: service nginx restart
Certificate not due for renewal yet, skipping
? Ghost-CLI would like to generate a ssl parameters file. Yes, write config file

But a warning popped up Certificate not due for renewal yet, skipping.
The CLI continued with trying to generate the certificate and then it prompted me for ssl parameter file generation, i hitted yes (i knew this is going to fail).

Then i ran into:

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
✖ Setting up ssl
A ProcessError occured.
Error occurred running command: '/bin/sh -c sudo service nginx restart'

I had to manually delete the ssl setup from my nginx config and restart Ghost.
This was caused by a rate limit from Letsencrypt.

What's weird here is that the CLI continues trying to generate my ssl certificate and then it prompts me for ssl parameter generation, but the ssl certificate was never created.
@kirrg001 kirrg001 added the bug label Jul 7, 2017
@acburdine
Copy link
Member

I mean technically if the certificate already exists, then the setup should still work. Gonna update the error handling to not output the "renewal" line though - might be confusing.

acburdine added a commit to acburdine/Ghost-CLI that referenced this issue Jul 8, 2017
@acburdine
fix(ssl): copy acme certificates from home location if they exist
8a2591c 
closes TryGhost#309
- if a user deletes their instance and recreates it with the same domain, then acme will fail to generate the certificate because it already exists & is not due for renewal. We work around this issue by looking for the error and copying the right keys if it already exists
@acburdine acburdine mentioned this issue Jul 8, 2017
Merged
acburdine added a commit to acburdine/Ghost-CLI that referenced this issue Jul 10, 2017
@acburdine
fix(ssl): copy acme certificates from home location if they exist
c83f83d 
closes TryGhost#309
- if a user deletes their instance and recreates it with the same domain, then acme will fail to generate the certificate because it already exists & is not due for renewal. We work around this issue by looking for the error and copying the right keys if it already exists
acburdine added a commit that referenced this issue Jul 10, 2017
@acburdine
fix(ssl): copy acme certificates from home location if they exist
45be251 
closes #309
- if a user deletes their instance and recreates it with the same domain, then acme will fail to generate the certificate because it already exists & is not due for renewal. We work around this issue by looking for the error and copying the right keys if it already exists
@mathewtrivett
Copy link

mathewtrivett commented Jul 11, 2017
edited

Hello Ghost team. I'm having issues with this. I ran a failed install (bad mysql settings) but it got to generate a cert. I deleted the ghost instance then tried to run the installer again and keep failing on ssl params file.

What is the best fix to delete the cert and regenerate with ghost? Actually think I might have hit the letsencrypt rate limit

@acburdine
Copy link
Member

@mathewtrivett there's some fixes in master that should be able to help - there will be a new version of the CLI released today so you should be able to get the fixes in a bit.

@mathewtrivett
Copy link

mathewtrivett commented Jul 11, 2017
edited

Grand, well i'll get it setup without SSL for now. Download the new CLI in 5 days or so and run the setup-ssl program. :) And sorry to jump into pull request comments, just wasn't sure where to put it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Various SSL setup fixes acburdine/Ghost-CLI
3 participants
@kirrg001 @mathewtrivett @acburdine