Jeremy Davis's picture

I've just had a message from Fritz. He's been trying (unsuccessfully) to post a new forum thread to get some assistance. I've tweaked his website user account in the hope that that might resolve the issue, but also it seems not. So I'm reposting his message here so we can discuss it publicly (he seems to be able to reply ok?!). Anyway Fritz's message:

I'm using the Ghost appliance to host a blog at my home behind my router. This is working fine. However because the appliance defaults to SSL when anyone visits my site they get that annoying "Your connection to this site is not secure". I've going in a few directions to resolve this.
The first was to turn off SSL because this is just a hobby site. However, I've been unable to turn it off. I've tried multiple edits in the config file but have only found that I crash the site instead of turning off the SSL or redirecting the site to HTTP. A guess is that the appliance has hooks into Node and Ghost that preclude Nginx.
The second thought was to get a SSL cert via Lets Encrypt. Through the error messages I've found that ddns appears to fail because the company I use (no-ip) doesn't support SSL certs from 3rd party folks. Strangely, the address I have through them is one of there own. Shouldn't they support that? Or I'm missing something in the process.
An addendum to this that I might be able to use Lets Encrypt if I get a cert of my own through a registered domain name. It's not a cost I'd like to chase down, but I understand it's something that might need to be considered.
Anyhoo, any ideas would be great!
Fritz
Forum: 
Fritz Ferrante's picture

Thanks Jeremy!  

Jeremy Davis's picture

So first up, apologies that I was a little slow with this response. FWIW I did start it ages ago (around the time I did the original post) but I got sidetracked with other tasks.

Anyway, it'd be useful to know the version of the appliance that you are using. If you're not sure, then please post the output of:

turnkey-version

Regardless, whether it defaults to https or http depends on how it was configured when first set up. The firstboot script allows you to set a domain, and if you don't also include a schema (i.e. http:// or https://), then it defaults to https.

So one way to get rid of the https would be to try re-running the firstboot script and set it as http. Having said that, I would encourage you to do a backup before you do that just in case it breaks something (it shouldn't but I can't be 100% certain...).

Alternatively, judging from the reading of the firstboot script, it appears that the only place where the schema is set is within the config file; /opt/ghost/config.production.json. So editing that file and changing the https to http would probably work.

From what I can tell (e.g. this thread or perhaps even this thread) there is no restriction on getting a no-ip Let's Encrypt certificate (although YMMV depending on the exact domain you are using). So I'm pretty sure that it should be possible.

If you are self hosting (e.g. on a home computer with port forwarding configured in your router), then no-ip are only providing your with DDNS (dynamic domain name services). I'm not aware of any way that they could stop you from using a third party SSL/TLS cert. But perhaps there's some vital info I'm missing?!

Having said that, I note that they suggest on their "Knowledge Base" that it's not possible to get SSL certs for NO-IP domains!? But backing my assertion is a tutorial to get a Let's Encrypt cert using DNS validation.

Bottom line is, I suspect that the issue is something particular to your setup. If your domain (i.e. not the sub-domain, but the 3LD or perhaps 2LD) is listed on the public suffix list then you should be good (note that there are a number of no-ip domains listed there).

And another alternative would be to use a tklapp.com domain. If you sign up to the TurnKey Hub, then you can get a free tklapp.com sub domain and I have tested them with Let's Encrypt certificates and they appear to work fine. Please note that to sign up to the Hub, you need to enter a valid credit card and link to an AWS account. After signup, you can adjust the Hub plans you are subscribed to as desired (see the plans and pricing here) and if you don't launch any servers or store any backups, then you shouldn't get billed by AWS either. If you only plan to use the Hub's dynamic DNS, then please ensure that you downgrade to free Hub plans to avoid the risk of being billed for something you don't want/need. If you have any issues at all with the Hub, please get in touch via the Hub chat or via support AT turnkeylinux.org.

Fritz Ferrante's picture

Wow Jeremy, thank you for that incredibly thorough and thoughtful response.  I'll try to answer things consecutively.  

First the version I'm using is turnkey-ghost-15.3-stretch-amd64.  

So, I ran the install again and made sure I picked http:// and sure enough things appear to be working!  You can see it here at http://obfuscator.ddns.net .

I see you found the same knowledge article I found as well from No-IP.  Because they actually own the ddns.net address they won't support SSL.  Sounds weird right?  But at least it explains it.  

If I pursue a domain name then I'll have to rerun the install and start over.  I'm scratching my chin about the effort and if it's important on a hobby site.  I'll give it more thought.

Thanks for the info on the TKLapp domains.  I hadn't realized that was an offer.

 

P.S. This probably needs to go into another forum post, but just wondering about updating ghost since PM2 is deprecated.  Their version is up to v3 and due to the way TK ghost is setup it doesn't appear to go.

 

 

Jeremy Davis's picture

Despite that knowledge base page, ddns.net is on the public suffix list (submitted by a NO-IP representative I note) so it should work with Let's Encrypt?! I suspect that the KB page only applies to 3rd party purchased certificates (you need to provide documented ownership of a domain to purchase a certificate for it from a 3rd party). Because Let's Encrypt does not require documentation to generate a cert (just proof of control via the serving the required challenges or DNS settings) I suspect that it doesn't apply to Let's Encrypt certificates (and your issue lays somewhere else). I'd be interested to see the specific error messages that you get when you try (if you want to try again).

Anyway, re your updating/upgrading experience, could you please elaborate? TBH, I have quite limited experience with ghost, but I'm generally pretty handy with this sort of stuff... :)

How have you tried to update? What was the specific result? If you get an error message, then please post it verbatim.

FWIW a quick google lead me to this tutorial which looks promising on face value. This official page also looks of value. And the ghost-cli doc page might also be useful?! Finally the page that notes changes between versions might also be worth a read.

Fritz Ferrante's picture

Hey Jeremy, 

I'll get you the info tomorrow when I'm back at the office.

Jeremy Davis's picture

It's Friday morning here (I'm in Australia), so I may not respond again until Monday, but please post back with the info when you get a chance and I'll reply ASAP.

Fritz Ferrante's picture

Hey Jeremy,

So to be clear I've reinstalled the whole appliance when I said I ran the reinstall wizard.  I wanted to make sure that was clear.  If there is a way to run the start up wizard independent of the install I wasn't aware of how to do that.

On to Dehydrated/Lets Encrypt - I run confconsole (in /var/lib/dehydrated) it appears to start fine, but errors out.

+ Error: an error occurred while sending post-request to htps://acme-v01.api.letsencrypt.org/acme/new-reg (status 400)

Details:

{ "type": "urn:acme:error:badNonce",
"detail": "JWS had no anti-replay nonce",
"status": 400 }
 

So, with only a little searching it appears that dehydrated might be out of date based on the badNonce error, but I'm all over the place with that stuff.  I'm not sure where to look honestly.  I was still looking at no-ip as the cluprit, but maybe not.

On to Upgrade! - I cd over to /opt/ghost and run npm i -g ghost-cli@latest.  This works fine.
Then I run ghost update and get this:

It looks like Ghost was installed using the root user.
You need to create a user with regular account privileges and migrate your installation to this user.
There's a guide to fixing your setup here: https://ghost.org/faq/root-user-fix/.

In the past I ran through the rigamarole to create and move the install and ended up breaking ghost altogether requiring a reinstall.   The instructions at https://ghost.org/faq/root-user-fix/ are desceptively simple, but I've never been able to do it correctly and I think this is because of the use of /var/www/ghost as the "regular" working directory for ghost.  In the appliance it's /opt/ghost.  Maybe we could just fiddle a bit with that?

Fritz

Jeremy Davis's picture

Changing from https to http (or vice versa)

There should have been no need to re-install from scratch. Apologies that I didn't spell out how to manually rerun the firstboot script. I often suffer from the curse of knowledge. When I don't, I often tend to go the opposite direction and get bogged down in the minutia and often important bits are buried...

Anyway, you can rerun the ghost firstboot script (that I linked to in my first post) manually like this:

/usr/lib/inithooks/bin/ghost.py

FWIW, as an aside, any files in the appliance buildcode that are in the overlay directory (link to Ghost's overlay directory as an example; but this applies to all appliances) end up on your server, relative to the root ('/') directory. So 'overlay/usr/lib/inithooks/bin/ghost.py' ends up as '/usr/lib/inithooks/bin/ghost.py'. (Just to confuse you, there are some exceptions to that rule, where files are only used during the build and later removed, but generally, they should always be within overlay/usr/local/...). If you are at all curious just ask and I'll do my best to explain.

Having said that, firstboot scripts are only written to be run at firstboot. They must be able to run multiple times without destroying the pre-installed application, but they aren't tested with user data. So there is a risk (albeit small) that it may wipe out your data (it shouldn't, but I can't be 100% sure). So if you do re-run a firstboot inithook, make sure that you have a backup of your data first.

As an additional point, looking at the ghost firstboot script I can only see the schema (i.e. the 'http://' or 'https://' bit) being set in the ghost config file ('/opt/ghost/config.production.json'). So another alternative would be to edit that file and swap any mention of https with http. Be careful to make sure that the formatting is correct. json files have a very specific format and whilst they're relatively easy to read by humans, they are machine readable, so messing up formatting will break them. I'd offer a sed line to do the swap for you, but I don't have a ghost appliance handy and would need to double check against the config file before I'd be willing to provide one. (FYI 'sed' is a neat way to edit files in place programatically). If you'd like to paste your Ghost config file here, I could provide you with one.

But obviously re-installing from scratch also works... :)

Dehydrated/Let's Encrypt

Re Dehydrated, yes we have an issue with that currently (actually a few separate issues that all occurred around the same time). We have a proper fix in the pipeline, but I still need to do final testing and package it so that users can easily apply the fix.

In the meantime, you can try the (slightly convoluted) workaround documented on the first post on the relevant issue. But please note that it only works reliably when you are using a single domain (I tested with 2 and it also worked, but others ave reported it can be hit and miss, even with 2). So that may well have been the issue you hit? Although it's worth noting that only occurred relatively recently (about a month, month and a half ago). So if you had issues before then, then these newer problems may not be related to your previous issue.

Updating Ghost

Re updating Ghost. Firstly, that page you link to is for when Ghost is installed as the root user, to the root user's home directory. As you note, we install Ghost to /opt/ghost, but we don't install ghost as root user, we install it via a generic limited 'node' user (all of our nodejs based apps use that same user account).

FWIW there are some upgrade instructions documented on the appliance page (look for the "Supervised Manual Ghost Update" heading). Although, I note that they probably need an update to use the 'ghost-cli' tool instead of being completely manual.

So the only part of those instructions that you link to that are relevant on a TurnKey appliance, would be the very last line:

su - node

As per the upgrade instructions on the appliance page, you can use the '-c' switch to just run specific commands as the node user (rather than completely change to that user account via the above command). E.g. to run "some command" as the node user in your Ghost install directory:

cd /opt/ghost
su -c 'some command' node

FWIW you could use double quotes around the 'some command' instead of single quotes, but they have slightly different meaning in bash, so if something isn't working as you expect, you could retry with the other quotes.

As you've already run some commands in /opt/ghost as root (as the message that you get notes), then that's likely changed (read; broken) some of the Ghost file/directory permissions. This should restore them to what they should be:

chown -R node:node /opt/ghost

So to do the upgrade using the ghost-cli as the 'node' user, my reading suggests that this should do the trick:

cd /opt/ghost
su -c 'npm i -g ghost-cli@lates' node
su -c 'ghost update' node

Note that I haven't tested that, so YMMV. I hope that helps. Please let us know how it goes.

Fritz Ferrante's picture

Hey Jeremy,

Thanks again for the very thorough notes.  I should have mentioned that I'd attempted various paths to deal with dehydrated before being thoroughly flummoxed.  In the case 499347401 I attempted the same recommended steps, but when I get to:

wget $GH_URL/$GH_HOOK -O $SH_HOOK
cp $SH_HOOK $CC_HOOK

I get:

wget $GH_URL/$GH_HOOK -O $SH_HOOK
wget: option requires an argument -- 'O'
wget: missing URL
Usage: wget [OPTION]... [URL]...

I tried replaced the URL with the long string from github, but I'm not sure that's where I was supposed to point or if my syntax was correct.

Ghost Update

Since we can disregard PM2 since it's not in this appliance I went straight to this command in /opt/ghost:

su -c 'ghost update' node

It now asks for the Sudo password (for the Node account I assume) which none of mine work on.  Is this a super secret thing?  Can you DM me or put it in the forum?  

Jeremy Davis's picture

Sudo will ask for a password, but su shouldn't?! So I'm not quite sure what is going on there... I'll have to set up a Ghost server myself and have a closer look sometime soon (please bump me if you don't hear anything in the next few days).

In the meantime, there is now a "proper" fix for Let's Encrypt (Confconsole/Dehydrated) with the release of Confconsole v1.1.1. It's not yet available from our repos (although will be soon) and still requires some specific steps to install and set up on a v15.x server (although better than instructions published previously).

Please note that users who have already updated via various other means are still recommended to install this update as it includes reliability fixes for add-water; our custom challenge mini-server. Please see the release notes for full step by step setup and further info - instructions cover both new and existing users.

Any issues, please ask. Any feedback (e.g. anything that isn't clear, etc). Please ask.

Fritz Ferrante's picture

Hey Jeremy,

I attempted the confconsole upgrade/fix this morning, but I might be having fat fingers on this one.  I've attempted to use the console to get a cert in the past, but I've never been successful, but I thought I'd back up the folder just in case.  However, when I try to accept the ToS there is no longer the /var/lib/dehydrated folder since it was moved.  

# INFO: Using main config file /etc/dehydrated/config
ERROR: BASEDIR does not exist: /var/lib/dehydrated

I feel like I'm doing something wrong on this one for sure.  Did I delete something I should have not?

On the flip side I run confconsole and it's not giving the old errors...

Jeremy Davis's picture

Sorry about that Fritz, that was quite likely my bad. I was pretty sure that I tested the full, specific set of instructions, but perhaps not?!

It should be an easy fix though:

mkdir -p /var/lib/dehydrated/acme-challenges

I'll test it in a sec and come back with either a confirmation, or ... In the meantime, I've also added that line to the instructions.

Although when you say:

On the flip side I run confconsole and it's not giving the old errors...

Do you mean that even despite that error, it all still appears to work ok?! FWIW I would have expected it to either "just work" (everywhere), or not at all...

Jeremy Davis's picture

Yep, that was all my fault... TBH, I'm not sure quite what happened there and can only put it down to working too many hours and juggling too many things at once. Deep apologies on leading you astray.

I have just updated both my previous post (above) and the v1.1.1 release notes/instructions with the command that is required.

In your case, this is all you should need:

mkdir -p /var/lib/dehydrated/acme-challenges
/usr/bin/dehydrated --register --accept-terms

Then assuming that you don't already have domains set up, launch confconsole (and select "Advanced" >> "Lets encrypt", etc):

confconsole

Thanks so much for posting with your feedback so quickly. Hopefully we should be all good now.

FWIW, I've just launched a Ghost server with the hope of looking into your Ghost specific issue. Hopefully I'll have something for you on that shortly...

Fritz Ferrante's picture

Oh Jeremy!  I don't know how much to thank you for that!  I'm squared away for let's encrypt!  

If I'm ever in Australia, I'll buy you a beer.  

I'll try to get the Zapier to work now, since https seemed to be the hold up.  

I hope you sort out the update soon, but it's not critcal of course.  

Thanks for taking time to make this a priority!

 

Fritz

Jeremy Davis's picture

Turns out that it was a bit more involved than I had anticipated. So to try to make the most out of the situation, I decided to post it as a "blog post tutorial"... :)

You can find it here, but be warned it's pretty long... I tested it all on a vanilla v15.3 Ghost appliance, so it should all "just work". Hopefully my rambling. meandering style of writing doesn't make it harder to follow than it needs to be! I sometimes get caught up in trying to explain things and giving the full context and that doesn't always translate to clarity...

Please leave any feedback you have either here and/or in the post comments.

Good luck with it all.

Add new comment