Top Menu

Let’s Encrypt | SSL Certificate For Ghost Blog Running Ubuntu + NGINX


  1.  A server running nginx with root access via SSH
  2. An installation of ghost located at

  3. wget (which should come out of the box with Ubuntu
  4. DNS correctly pointing at your server.  I always run my domains through CloudFlare for security and to help caching and page performance.  Note if you do this, under the Crypto tab you want SSL set to “Full (Strict)”.

5. Some patience if you fail at first :)

Let’s Do This or Let’s Encrypt


As encryption, privacy, safety and now even SEO rankings continue to be topics of discussion among the internet’s common discussion points, there is a new need to encrypt your traffic using SSL (Secure Socket Layer).  The problem is that typically SSL certificates were expensive, and  a pain in the ass to install.  Couple that with deploying a node application like Ghost which serves its content over port 2368, which your web browser would never know existed unless the server told it to go there when you visit  a site.  The process bridging the gap between port 80 (default http port that you view all your web content with) and a port such as 2368 needs to be communicated by a server, in this case nginx works very nicely to achieve this outcome.

That’s great, and let’s assume you did some light googling and found a boilerplate nginx config file to pass along traffic to your Ghost blog, you set up your DNS with something like and everything is working nicely.  Well, to throw a wrench in your success I am challenging you to dig a little deeper and think about the possibility of adding an SSL certificate to your site so that visitors are secure as is all communication on your server.  You might say something like:

Dude, I am not paying $119 a year for this, for a few points scored with Google.

I agree, I wouldn’t either.  But there is a new certificate authority called “Let’sEncrypt” that issues valid SSL certificates for your site and all you need is a basic guiding hand and a decent knowledge of the command line to obtain and install a certificate and begin sending your visitors to port 443 instead of the traditional 80.

So if you are like me I have my webroot of my ghost blog located at


Now we need to obtain our certificate and key, add them to our site’s config file and tell Ghost the url of our site is going to be https not http.  First let’s set up our nginx configuration file for our site.  It is located under

Before I enable SSL on my site I should have something that looks like the sections of this config file that ARE NOT commented out.

So for now any line beginning with “#”, just ignore for the time being.  For our server routing trafic over port 80 we don’t have:

This section that is currently commented out is telling the server “hey, when a request comes to visit the root url or “/” redirect the traffic to a port that is set by the line:

The 2368 is the previously mentioned default port that runs ghost.  So nginx is rerouting direct traffic to the server to your Ghost web application.  So back to ssl, so we can uncomment our ssl server from our ghost nginx server configuration file.  In order to properly set up SSL with Let’s Encrypt, you have to have the A record of your domain pointing to the correct IP of your server, along with the subdomain ‘www’ should you choose to use that as well.  We will also need to modify Ghost’s configuration file to match the https protocol.  Let’s start with the Ghost config.js file.

Don’t restart ghost just yet we still need to get our certificate.  In the terminal run:

Now it is time to uncomment all of the lines in our ghost nginx configuration file located at /etc/nginx/sites-available/ghost

your new configuration should look like this:

Now save that file.   Test the configuration by running

That’s it, you now have traffic to your Ghost blog set up with SSL using nginx and certbot auto.  No more outrageous fees to enjoy your right to a more secure private web browsing experience.

, , , , ,

3 Responses to Let’s Encrypt | SSL Certificate For Ghost Blog Running Ubuntu + NGINX

  1. Cameron Banowsky July 21, 2017 at 1:13 AM #

    If you want to renew the ssl you need to run some commands:

    the command line argument is: certbot renew –renew-hook /path/to/renew-hook-script

    You can also write a script:

  2. ASH July 20, 2017 at 3:14 PM #

    Thanks for the article. But what about renewing the certificate?
    Apparently, you need the “.well-known” to be accessible for the renewing. Ghost router won’t direct that. How to manage to do so?

  3. Richard Ward January 20, 2017 at 12:14 AM #

    I love Let’s Encrypt! Unless all your visitors still run Windows XP, it’s an excellent choice for most things. Hopefully it’ll be around for a long time to come.

Leave a Reply

Are you real? * Time limit is exhausted. Please reload CAPTCHA.