Unable to Renew Certs on Ghost CMS Installation (Nginx)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bestfedcats.com

I ran this command: /etc/letsencrypt/acme.sh --cron --home "/etc/letsencrypt"

It produced this output: Invalid status, bestfedcats.com:Verify error detail:: Fetching http://bestfedcats.com/.well-known/acme-challenge/NlhD2AGTwoQuqjn-dM9H-8t9q9C73-z80X9-T--WsA8: Timeout during connect (likely firewall problem)

My web server is (include version): VM

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

You need to keep port 80 open.


@linkp thank you for your response but port 80 is open - I've double checked and both Nginx Full and Nginx (v6) are enabled in UFW

1 Like

Not from the public internet. Something else may be blocking it then. Maybe something in your hosting settings?

Try a mobile phone with wifi disabled to use the carrier's network. See if this works:
I am pretty sure it won't. Let's Debug can't see your server nor can Let's Encrypt (nor my own test server).


@MikeMcQ Thanks for your feedback - I'll investigate this and report back


Discovered that inbound rules on control panel didn't include port 80

After adding the rule I was able to renew the domain cert but the subdomain cert again failed with the same error.
Is this because of the Nginx redirect using return 301?

1 Like

Which subdomain? Because your www subdomain does not timeout for me. Although it doesn't behave exactly like your root domain so the nginx config may need some adjustment. Do you have both names in the server_name setting?

# www redirects HTTP Challenge to HTTPS
curl -I -m8 http://www.bestfedcats.com/.well-known/acme-challenge/Test404
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Location: https://bestfedcats.com/.well-known/acme-challenge/Test404

# base domain does not redirect
curl -I -m8 http://bestfedcats.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)

@linkp @MikeMcQ thanks again for advise and guidance - your assistance is greatly appreciated!

As suggested, I will double check the nginx config to ensure that everything operates optimally.