SSL Certificate Problem With Digital Ocean Ghost Droplet

August 26, 2014 3.8k views

Hi Everyone,

I’m trying to setup a StartSSL certificate on my server. My server is the Ghost one-click application image. I have updated Ghost to the newest version though if that makes a difference.

I have followed StartSSL’s instructions first and then opened port 443 in IPTables. I have also looked at other configuration tutorials such as

In an effort to better debug, I have done the following:

If I do sudo netstat -plunt

I see these lines:

tcp        0      0   *               LISTEN      9431/nginx      
tcp        0      0    *               LISTEN      9431/nginx      

This to me looks as though nginx is correctly looking on both port 80 and port 443.

If I do nmap this being the server’s IP address, I get:

22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

My nginx configuration is:

22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
root@NodeJSGhostBlog:/etc/nginx/conf.d# nano default.conf 

  GNU nano 2.2.6                      File: default.conf                                                  

server {
    listen 80;

    client_max_body_size 10M;

    location / {
            proxy_pass http://localhost:2368/;
            proxy_set_header Host $host;
            proxy_buffering off;

# HTTPS Server

server {
    listen 443 ssl;

    ssl on;
    ssl_certificate LOCATION/TO/CERT/HERE;
    ssl_certificate_key LOCATION/TO/KEY/HERE;

    ssl_session_timeout 5m;

Yet if I try to load, it fails with:

It correctly loads almost instantly though.

Any help about what I’m missing would be greatly appreciated.

Thank you!

2 Answers

Fixed! What happened was the IPTables rule was not in the correct order:

To check this:

iptables -nL --line-numbers

Then I had to put it before the DROP rule by using the following commands:

iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
service iptables-persistent save
service iptables-persistent restart

The IPTables output then looks something like this (modified for safety reasons)

REJECT     all  --  anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
DROP       all  --  anywhere             anywhere   
Have another answer? Share your knowledge.