Protecting the Ghost Login Page With a Free SSL Certificate

If you are using Ghost for a production blog, you should setup an SSL certificate. If you do not set an SSL certificate for Ghost, every time you login into your Ghost blog in the /ghost admin interface, you are sending your password across the network in plaintext. If you frequent coffee shops, the library, or any wifi network really, like I do to get some work done, and log into your Ghost blog without a SSL certificate setup, anyone snooping on that network can easily grab your password because it is not encrypted.

We have several Ghost blogs running on DigitalOcean Droplets with Nginx acting as a proxy to Ghost. You can checkout our how to proxy port 80 to 2368 for Ghost with nginx post if you need help with setting up Nginx with Ghost. Once you have it setup, you can then provide Nginx with the SSL certificate and configure Ghost to protect the login page with https. The following is the process we use to get our free StartSSL certificate and provide it to Nginx.

  1. To get started head over to StartSSL
  2. Click on StartSSL Free (Class 1)
  3. In the upper left hand corner click on "Sign-up For Free"
  4. Fill out the form and click on continue. Be sure to fill out all of the information accurately or it will delay getting your certificate.
  5. Check your email to get the validation code which you will need to paste into StartSSL
  6. Once your account is verified StartSSL, they will review your request for a certificate and email you.
  7. Once you receive the email, copy and paste the verification code into the the StartSSL page.
  8. This will prompt you to generate a private key which will be used to access your account on the StartSSL website. Select high for the grade.
  9. Once your key is generated click "install". This is going to install the certificate into your local browser. This browser will need to be used in the future to access your StartSSL account. Keep it safe!
  10. Now that you have your StartSSL certificate installed you can access your account and start the generation of your SSL certificate. Click here to go to the StartSSL Control Panel.
  11. Now that you are logged in, click on Authenticate to start the process of proving you are the owner of the domain you want to install the certificate on.
  12. Clicking Authenticate will prompt you to select the certificate you want to use to authenticate who are you. You should only have one option and it will have the email address you used to signup
  13. Now click on "Validation Wizard"
  14. Select Domain Name Validation and click Continue
  15. Enter your domain name and click continue
  16. On this step you will need to select an email address that is registered with your domain that you have access to and click Continue
  17. Check the mailbox for the email account you selected in the previous step and copy and paste the verification code and click Continue
  18. Click on the "Certificates Wizard" tab
  19. For "Certificate Target" select "Web Server SSL/TLS Certificate" and click continue
  20. Fill in the Key Password with a password to protect your certificate. The password can be anything you want, it will just be needed once in a couple of steps. Click Continue. Note it will take a few moments for for your certificate to be generated.
  21. Once your private key is generated save it to a file called ssl.key
  22. Now you need to decrypt the key with the following command: openssl rsa -in ssl.key -out private.key. This command will prompt you for the passphrase that you created earlier. You can now delete the ssl.key file.
  23. Click Continue to be taken to the Add Domain page.
  24. Select your domain name from the drop down and click Continue
  25. In the text field fill in your subdomain. This will likely either be www or blog. Click Continue.
  26. On the next page verify your details and click continue.
  27. You have now successfully submitted the information needed for StartSSL to generate your SSL certificate. StartSSL will respond by email within a few hours.
  28. Once StartSSL emails you letting you know your certificate is ready, head over to the Control Panel. Note you may need to click the authenticate link again.
  29. Click on the "Tool Box" tab
  30. Click on the "Retrieve Certificate" link
  31. In the drop down select your domain name and click Continue
  32. On this page you need to copy and paste the contents of your new certificate to a new file called ssl.crt
  33. Now click on the "StartCom CA Certificates" link on the left hand side
  34. On this page you need to download two files:
    • StartCom Root CA (PEM Encoded)
    • Class 1 Intermediate Server CA
  35. You should now have four files
    • ca.pem - StartSSL's root certificate
    • - StartSSL's intermediate certifcate
    • private.key - your private key..keep this very safe!
    • ssl.crt - your ssl certificate
  36. The last step you need to finishing preparing your SSL certificate is combine some of the files. For Nginx you have to combine your chain into one file which can be done with:
  37. cat private.key ca.pem > <your domain name>.com.pem

    Now rename ssl.crt to .com.crt.

    Now scp ssl.crt.<your domain name>.com.crt and <your domain name>.com.pem files up to your server and place them in /etc/nginx/ssl/

Nginx Configuration

Now that your SSL certificate is installed, the next step is to configure Nginx to use the certificate

Alter your Nginx configuration file (/etc/nginx/sites-available/<your domain>)to look like this:

server {
    listen 80;
    listen 443 ssl;
    server_name <your domain name>.com www.<your domain name>.com;
    ssl_certificate        /etc/nginx/ssl/<your domain name>/<your domain name>.com.crt;
    ssl_certificate_key    /etc/nginx/ssl/<your domain name>/<your domain name>.com.pem;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;

Now restart Nginx with: service nginx restart

Ghost Configuration

Lastly, we need to tell Ghost to server the admin interface over https. In the production section of your config.js,change the url to have https. Ex:

url: 'https://localhost:2368',

Also add the following line inside the production config:

forceAdminSSL: true,

Now go ahead and restart Ghost. Now when you navigate to your .com/ghost you will notice that the protocol is now https and your browser displays a lock icon.