Setup Ghost and installed Let's encrypt Cert under wrong email address and HTTPS only works on chrome


#1

Hi, thank you for your time.

Essentially, I installed Ghost on my new ubuntu 16.04 droplet over on Digital Ocean. Everything went smoothly until I was an idiot and inputted the wrong email address on the let’s encrypt setup part. At the time this email was not working and I did not and have still not received any emails regarding the domain. I tried changing the email address in the accounts.conf file in the directory /etc/letsencrypt. This did not work. And, I also tried running the following Certbot command with the following output:

sudo certbot register --update-registration -m newemail@example.com

I get the following returned from this command:

“Could not find an existing account to update.”

As you can see from the output this did not work. Following this, I have also noticed HTTPS only works in chrome. In both firefox and edge, you can only connect to the site using HTTP which I don’t understand. When I check the domain on sslshopper.com it passes and says it has a certificate that runs out on 11/09/2018.

If you guys can help me fix these issues and change the email address associated with this so I get emails from Let’s encrypt about the domain that would be great.

Below is as much information as I could fill out from the questions.

My domain is: conermurphy.com

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

Thank you for your help. If you need any further information please let me know.

Thank you :slight_smile:


#2

Hi @conerm,

I don’t use ghost but seems they are using acme.sh to issue the certificates, checking the doc you should update your account email using this command:

/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --update-account --accountemail whatever@example.com

The reason is because your certificate has been revoked and Chrome doesn’t care but Firefox and Edge does.

I suppose you revoked it so you should issue a new certificate.

Cheers,
sahsanu


#3

Hi @sahsanu,

Thank you for your reply.

I have entered the command you game me and have received the following output:

[Thu Jun 14 12:54:39 UTC 2018] Registering account
[Thu Jun 14 12:54:40 UTC 2018] Already registered
[Thu Jun 14 12:54:40 UTC 2018] ACCOUNT_THUMBPRINT=‘XXX’

There is string of characters in the account thumbprint bit, I just didn’t know where it would be wise to put that publicly so I left it out.

Also, I had to sudo the command as without sudo it produced:

touch: cannot touch ‘/etc/letsencrypt/http.header’: Permission denied
[Thu Jun 14 12:54:10 UTC 2018] Only RSA or EC key is supported.

Is this okay then? Sorry to ask questions that may be stupid just want to make sure it is okay.

Also, because the account is already registered going by that output will all future renewal notifications go to that email rather than the old one?

Would you be able to provide me with a command to do this so I can be sure I got it right? Probably take me hours to figure it out,

Thank you for your help, I appreciate it alot.

Cheers,

Coner


#4

Yes, seems so.

If acme.sh updated the account correctly and seems it did, then yes, you should receive future notifications in the new email address.

As you have already the cert, you could force the renew but as I said I don’t use ghost so don’t know whether this is the best way to do it. Anyway, you could try this command:

/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --renew --force -d conermurphy.com

If you get a new cert, restart ghost so it can load the new certificate.

Good luck,
sahsanu


#5

It seems to have worked. It issued me a new certificate on that domain. I have also restarted nginx and ghost.

And, the new certificate seems to be showing on Firefox and Edge so I’m going to say it has worked.

Thank you for all of your help. This has been baffling me since it happened. Hopefully, I should get the emails through close to the renewal time to see if that has worked and as I haven’t seen any yet since I changed it.

Once again thank you for your help.

Cheers,

Coner


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.