Those of you who follow my blog may have noticed a completely new look on the site. In a recent blog update I mentioned that I switched from WordPress to Ghost hosted on DigitalOcean as my blogging platform of choice. While Ghost has been an awesome blogging experience so far, there are a few little technical quirks that had me scratching my head for awhile - most notably adding a secondary domain to an SSL certificate using Let's Encrypt.

One of the cool things about Ghost is that it has its own CLI, which makes installing free SSL certificates from Let's Encrypt even more of a breeze than using a tool like certbot. This is amazingly easy to use if you just plan on using a single domain:
ghost config url
ghost setup nginx ssl

Now let's say you want to redirect to - if you have the knowledge to host your own Apache / Nginx web server, then doing that is pretty straightforward (using a rewrite rule). However, trying to redirect to the www equivalent results in a big red certificate error. Why? Because your web browser tries to validate the certifcate before processing the redirect. Therefore, you need to have a valid SSL certificate for both your non-www and your www domains.

Normally this task is easily handled by fetching a certificate with multiple domain names (also sometimes referred to as a UCC certificate). However, because of the way Ghost handles SEO requests (the proper way), it technically only supports one domain.

Therefore, in order to redirect all non-www versions of your site to the SSL side, you first need to "trick" ghost by temporarily changing the site url (via Ghost knowledgebase).

Since this article assumes you're running Ghost on Digital Ocean, you should change to the ghost-mgr user:
sudo -i -u ghost-mgr

Now change over to your ghost directory:
cd /path/to/your/ghost/install

Temporarily tell ghost to use your non-www url
ghost config url

Now tell Ghost to generate an SSL config for the non-www url
ghost setup nginx ssl

Now change ghost back to the 'primary url' for your site
ghost config url

But you're not done yet! Now you have to tell Nginx to redirect your sites. Navigate to /etc/sites/nginx/sites-enabled (these are symbolic links so you shouldn't have to hunt for your config files). Locate the non-www, non-SSL config file e.g. and open it using your editor of choice.

Next, add the following line at the bottom of the location section:
location / {
a bunch of stuff you should ignore
return 301$request_uri;

Save and close the file, and repeat this task for and, but do not do this for Whew! That's a lot of config files! Note: if you want to trim it down, nginx supports combining site multiple site configs into one file.

To summarize, what we just did was set up a 301 redirect for each domain that doesn't match the https version of your primary one. Now, whenever a visitor browses to, or, they'll be redirected to instead.

Happy blogging!