SSL with TurnKey Ghost AMI
TurnKey is a group that provides Debian based system images that come pre-installed with some great open-source software. This allows end users to quickly and easily deploy "turn key" solutions like Ghost. In this post I'll go over some issues I had enabling SSL while using the TurnKey Ghost AMI and how to resolve them.
SSL allows for the secure and encrypted communication between client and host. It gives end users piece of mind by verifying that you are who you say you are. If you want to know more about SSL check out this great overview by Cloudflare.
Once the TurnKey Ghost AMI was deployed I browsed to my site but was presented with an SSL warning requiring you to confirm if you want to continue. The AMI usage documentation mentions that this is due to the self-signed cert that is generated on install and that we'll need to replace this with a CA signed cert. So while SSL is supported out of the box, we'll need to do some configuration to get it working as expected.
The TurnKey image comes with Webmin, a web-based UI that you can use to manage your instance. Access the UI by adding :12321 to the end of your URL and use the credentials provided during setup. Here I tried to generate SSL certs with Let's Encrypt, but this threw an error, something about needing to use ACMEv2 instead of v1. They point you here for more info, but honestly, I have no idea what they're talking about.
Hitting a dead end with Webmin I tried Certbot, a tool to generate and renew Let's Encrypt certs. First I tried the --webroot option so I wouldn't have to stop Ghost. This failed most likely due to the server not serving hidden directories, an issue noted in their install instructions. Not wanting to go down that rabbit hole I tried the --standalone option. This also failed with an error about trouble binding to port 80, even though I ran ghost stop.
Hmm, this isn't turning out to be so turn-key. Some googling suggested running ghost setup ssl, you'll need to run this from the install directory, cd /opt/ghost. This threw an error, Nginx config file does not exist, skipping SSL setup, which was odd as this was present in /etc/nginx/nginx.conf. Next I found myself in the ghost-cli documentation where I finally found ghost setup nginx ssl, you'll need to run this with sudo privileges.
Ok now we're getting somewhere. In the output I can see that Nginx is being configured, then Let's Encrypt is installed, then the certs are generated, great! Of course this command doesn't exit cleanly, reporting that it cannot restart Nginx and pointing to an error log. Tail this file and we can see the issue,
nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /etc/nginx/snippets/ssl-params.conf:5Finally, I promise, this was the root cause. It seems ssl_session_cache is declared twice, once in the file referenced in the error message and another in /etc/nginx/include/ssl which is referenced in /etc/nginx/sites-enabled/ghost. So to resolve this issue I simpled commented this line in the ssl-params.conf file, figuring the setting referenced in the actual ghost config is the desired one.
So now you guys know; I am who I say I am!
I'm not sure if the ghost implementation will handle renewal though...