Ghost SSL Setup

Pleas help me on the below issues. What kind of setup I need to on the DNS settings?

My domain is:

I ran this command: ghost setup ssl

It produced this output: Command failed: /bin/sh -c sudo -S -p '#node-sudo-passwd#' /etc/letsencrypt/ --issue --home /etc/letsencrypt --domain --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail
[Sat Sep 26 02:26:17 UTC 2020] error:DNS problem: NXDOMAIN looking up A for - check that a DNS record exists for this domain
[Sat Sep 26 02:26:17 UTC 2020] Please add '--debug' or '--log' to check more details.
[Sat Sep 26 02:26:17 UTC 2020] See:

My web server is (include version): Debug Information:
OS: Ubuntu, v18.04.5 LTS
Node Version: v12.18.4
Ghost Version: 3.34.1
Ghost-CLI Version: 1.14.1

The operating system my web server runs on is (include version): OS: Ubuntu, v18.04.5 LTS

My hosting provider, if applicable, is: Google Cloud VM

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Hi @vscript,

With this method, the certificate authority is trying to connect to each name listed in the requested certificate. As you can see, you requested to be one of those names, so the certificate authority would like to connect to it to verify that you own it.

But right now in DNS, has an A record pointed at, which is an invalid address that nobody can connect to. This is different from the record for, which has two A records, for and If is going to be hosted on the same server, you should update its A record so it will be possible to connect to it at the same address as

If it's not going to be hosted on the same server, the current method that you're using to obtain a certificate will not be able to obtain a certificate that covers In that case you should either use a different method, or leave out of this certificate entirely and request a separate certificate for it from the server where it is actually going to be hosted.

I hope that helps!


Thanks @scheon!!

My sceanrio is will be pointed to - A record IPs and will be pointed to self hosted ghost blog in google cloud platform vm - A record IP is

I'm trying to run the SSL from Please let me know if doing something wrong?


That setup is fine, but

① you should point the DNS name to the Google Cloud Platform VM before requesting a certificate for it (Let's Encrypt expects it to be "up and running" already using the kind of method that you're using)

② you should request separate certificates for and using software running directly on their respective servers

If the server where you were running the software (with the commands you showed above) is the GCP service at, then try changing the DNS A record for to point there first, and then request the certificate only for that name, not for the base domain name. In this case, you should also see if Firebase support or the Firebase community (I don't know anything about this platform) can advise you about how to get a certificate up and running there—it might require a totally separate process managed by Firebase.

Let's Encrypt certificates can be obtained by lots of different software (there are several dozen applications to request them in different software environments), but a common pattern is that the certificate should usually be requested on the same server where it will ultimately be used, by running software on that server, as its administrator or with the help of its administrator, with the DNS records already in place first. (While there are alternatives to this, they're usually quite a bit more complicated and may require a deeper understanding of Let's Encrypt and your individual environment.)


Thanks again for clearly point out what needs to done. Now, I have to rerun the "ghost setup ssl" from only for Have a good one!! Thanks Again!


This is my DNS setting. I have the DNS A set for and running certbot command from that server resulted in below error

~$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: "\n<!doctype html>\n\n \n Site Not Found\n <link href='"


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Invalid response from
    []: "\n<!doctype html>\n\n \n

    Site Not Found\n <link href='" <p>To fix these errors, please make sure that your domain name was<br> entered correctly and the DNS A/AAAA record(s) for that domain<br> contain(s) the right IP address.</p> </li> </ul> <p>Started understanding but really confused now.</p>
1 Like

It looks like is being sought at and thus a 502 Bad Gateway is being returned.

To start, you should...

Delete the A record because the blog record is the correct record.

This does nothing for you: 599 IN A

Delete the old _acme-challenge TXT record because they're never needed after a certificate is issued.

I'm looking into the wrong ip part... :thinking:

Yes...That's why I'm confused. That's the A record for the primary domain Please refer the screenshot attached. I'm trying to setup ssl for sub domain

1 Like

I extended my previous post, so don't miss that.

Curiously, both and are both serving the correct certificate. I'm also getting the right IP address ( with several different tools. Cached IP lookup perhaps? Slow propagation?

1 Like

Let me give it sometime and try it tonight to avoid any propagation issues.

I may have found the culprit:

To host a static site in Cloud Storage, you need to create a Cloud Storage bucket, upload the content, and test your new site. You can serve your data directly from, or you can verify that you own your domain and use your domain name.

1 Like

I highly recommend you carefully read and follow the instructions here:

1 Like

It seems your knowledge/advice has gone into deaf eyes...
I still see:

1 Like

I did not work on the issues last night. Just deleted it.

Also I ran the sudo certbot and got this message. But I'm unable to conclude what fixed the issue, Propgation issue or extra entry of the same server ip to

Congratulations! You have successfully enabled

Thanks a lot everyone!!!


Glad you got it working. Let us know if you run into any further trouble. :slightly_smiling_face:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.