Detect ssl setup with ip address

[kirrg001]

If you install Ghost and you configure an ip address instead of a domain, you will get an error when running ghost setup ssl:

A ProcessError occured.

Error occurred running command: '/bin/sh -c /home/kate/ghost-kate/system/acme.sh --issue --domain 207.154.219.31 --webroot /home/kate/ghost-kate/system/nginx-root --accountemail kate@ghost.org --key-file /home/kate/ghost-kate/system/letsencrypt/privkey.pem --fullchain-file /home/kate/ghost-kate/system/letsencrypt/fullchain.pem'

Ghost-CLI log contains:

touch: cannot touch '/home/kate/.acme.sh/account.conf': No such file or directory
grep: /home/kate/.acme.sh/account.conf: No such file or directory
grep: /home/kate/.acme.sh/account.conf: No such file or directory
/home/kate/ghost-kate/system/acme.sh: 1816: /home/kate/ghost-kate/system/acme.sh: cannot create /home/kate/.acme.sh/account.conf: Directory nonexistent
grep: /home/kate/.acme.sh/account.conf: No such file or directory
[Thu Jul  6 19:19:11 UTC 2017] new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: Issuance for IP addresses not supported","status": 400}
[Thu Jul  6 19:19:11 UTC 2017] Please add '--debug' or '--log' to check more details.
[Thu Jul  6 19:19:11 UTC 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

We have to improve the error detection here. Simply checking if the url is an ip address would be helpful, because the error here looks not very clear.

e.g. touch: cannot touch '/home/kate/.acme.sh/account.conf': No such file or directory

SSL won't work with ip addresses.

[acburdine]

What needs to happen here is before ssl generation even is tried, the URL needs to be checked and generation skipped if it's an IP rather than a domain name.

[cobbspur]

Adding this from the discussion in slack.

If a user sets up ssl but previously entered non secure protocol as their url we should update the url in config. Conversely if the user added secure protocol then skips ssl we could downgrade the url to http. The only question is whether or not we don't to do the latter as it is possible a user can setup their own certificate? @ErisDS ?

[sebgie]

We are combining 2 different issues here:

• SSL with IP address

From https://community.letsencrypt.org/t/certificate-for-public-ip-without-domain-name/6082/5:

I think the current Baseline Requirements norm is not to issue certificates for private (RFC 1918-reserved) IP addresses, while certificates for public IP addresses are still permitted. However, Let's Encrypt has decided not to issue certificates for bare IP addresses even if this would be permitted by the Baseline Requirements.

• Ghost SSL config

Is it okay to open a new issue for that, @cobbspur? Ghost supports multiple modes when SSL is available (force SSL for everything, force SSL for admin only, ...) and I'm not sure if we will pick the correct mode automatically?