Adding SSL to Ghost for free using CAcert

Update - CAcert was a "better than nothing" approach in 2014. Now you're better off using LetsEncrypt.

It's a good idea to use SSL when managing Ghost. If you don't, grabbing your password is trivial for people who are on your network and have Wireshark, which is free. SSL might seem like a pain if you don't want to handle your own certificate authority, or an annoying expense if you don't. Fortunately there's an alternative, using CAcert, which issues free SSL certificates. CAcert is an attempt to reduce our reliance on commercial ssl certificate providers. Given the abominable state of security on the web I think it's safe to say "trust this website because a company paid some other company for a cert" is a broken model. Certs can verify you're connecting to the machine you think you are (in this case your own machine), but aren't a substitute for diligence.

The advice here is a great way to secure your connection to your own blog for doing things that require logging in, like writing articles, changing passwords, etc. However, because CAcert is only included by default in a few Linux distros at this point (and none of the major browsers), your readers will probably continue to access your blog via normal http.

Here's what you need to do.

  • If you haven't already, get yourself a domain name and make sure the whois includes an email address that can reach you. Alternately, be sure that root@yourdomain.com is an address for which you can receive mail.
  • Browsers aren't configured to accept certs from CAcert automatically, so you need to add their root certificate. In Firefox, all you have to do is visit http://www.cacert.org/index.php?id=3 and click on "Root Certificate (PEM Format)" - Firefox will do the rest for you.
    • If you're the paranoid type - good! Check the signature on their cert.
  • Your browser should now be configured properly. To find out, go to https://cacert.org and see if a warning is generated. If not, click "join" and enter your details.
  • Now that you have an account set up, add your domain (under Domains -> Add) - this is why we made sure your whois has a valid email address!
  • Go to wiki.cacert.org/CSRGenerator and download the csr.sh script they've provided to generate a CSR. It's a simple shell script, so you can check the code easily if you're wary of it.
    • Generate the CSR with sh csr.sh. This should generate a key file. Copy it to /etc/nginx/ssl
    • Copy the CSR text from your shell, and use it to generate a new cert at cacert.org.
  • When a cert has been generated, save it to /etx/nginx/ssl/server.pem. You can simply copy the cert text and paste it into vim if that's easier.
  • Edit your config options with sudo vim /etc/nginx/sites-available/ghost.conf to include a few new things, in particular listening to port 443 and the locations of your cert and key. It should look similar to the following:
server {  
    listen 80;
    listen 443 ssl;

    server_name yoursite.com;
    port_in_redirect off;

    ssl_certificate        /etc/nginx/ssl/server.pem;
    ssl_certificate_key    /etc/nginx/ssl/privatekey.pem;

    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        proxy_set_header   Host      $http_host;
        proxy_pass         http://127.0.0.1:2368;
    }
}
  • Then, restart nginx, probably with sudo service nginx restart, and you should be good to go!

Note that if you have issues connecting via https you might need to open port 443; check your modem/router if you're hosting Ghost on a local machine. Also, now would be a good time to remove any extraneous copies of your private key (the privatekey.pem file referenced earlier).