Certbot - Install Certificate in Nginx: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:certbot]] | [[Category:certbot]] | ||
[[Category:Nginx]] | [[Category:Nginx]] | ||
== Summary == | |||
This article explains how to obtain and install free Let’s Encrypt TLS certificates on an Nginx server using Certbot. It covers the prerequisites, the installation process, how the Nginx plugin works, and what to expect during renewal. | |||
Certbot provides an automated, secure, repeatable method for enabling HTTPS on Linux web servers. | |||
== Context == | |||
When deploying a public-facing website or API, HTTPS is no longer optional. | |||
TLS certificates: | |||
* protect confidentiality and integrity | |||
* prevent browser warnings | |||
* improve user trust and SEO | |||
* are required by modern security expectations | |||
Let’s Encrypt provides free, automated certificates, and Certbot is the recommended ACME client for managing them. | |||
== Prerequisites == | |||
Before running Certbot, ensure the following: | |||
* A domain name pointing to your server | |||
* Nginx installed and serving content | |||
* Port 80 open (required for HTTP-01 validation) | |||
* Administrative (sudo) access on the server | |||
== Installing and Running Certbot with Nginx == | |||
Certbot can automatically detect your Nginx configuration, update the server blocks, and apply HTTPS securely. | |||
Run: | |||
<pre> | <pre> | ||
sudo certbot --nginx | sudo certbot --nginx | ||
</pre> | </pre> | ||
During this process, Certbot will: | |||
1. Detect your server blocks (virtual hosts) | |||
2. Ask which domains you want to enable HTTPS for | |||
3. Request a certificate from Let’s Encrypt | |||
4. Update your Nginx configuration | |||
5. Reload Nginx to apply the certificate | |||
== How the Nginx Plugin Works == | |||
The Certbot Nginx plugin: | |||
* Parses the existing server blocks | |||
* Inserts the correct 'listen 443 ssl;' directives | |||
* References the certificate and private key | |||
* Adds modern TLS settings, DH parameters, and HSTS (optional) | |||
* Performs a reload, not a restart, to avoid downtime | |||
== Automatic Renewal == | |||
Certbot installs an automated renewal timer. | |||
You can test renewal manually: | |||
<pre> | |||
sudo certbot renew --dry-run | |||
</pre> | |||
Let’s Encrypt certificates renew every 90 days. | |||
== Troubleshooting == | |||
=== Nginx not detected === | |||
Certbot may not detect Nginx if: | |||
* Nginx is not installed through standard paths | |||
* Configuration files are in non-standard locations | |||
* There is a parsing error in /etc/nginx/sites-enabled/* | |||
=== HTTP‑01 validation fails === | |||
Common causes: | |||
* Port 80 blocked by firewall | |||
* Incorrect DNS records | |||
* Multiple vhosts for the same domain | |||
* Reverse proxies not passing requests correctly | |||
=== Renewal fails intermittently === | |||
Often caused by: | |||
* Temporary DNS outages | |||
* Changing IPs without updating DNS | |||
* Manual edits to Certbot-generated configuration | |||
== Best Practices == | |||
* Use the redirect option to enforce HTTPS | |||
* Keep your Nginx configuration clean | |||
* Avoid duplicating server blocks | |||
* Separate www and non-www | |||
* Monitor renewal logs in /var/log/letsencrypt/ | |||
== References == | |||
* https://certbot.eff.org/instructions?ws=nginx&os=snap | |||
* https://letsencrypt.org/ | |||
* https://nginx.org/en/docs/http/configuring_https_servers.html | |||
Revision as of 13:19, 14 March 2026
Summary
This article explains how to obtain and install free Let’s Encrypt TLS certificates on an Nginx server using Certbot. It covers the prerequisites, the installation process, how the Nginx plugin works, and what to expect during renewal.
Certbot provides an automated, secure, repeatable method for enabling HTTPS on Linux web servers.
Context
When deploying a public-facing website or API, HTTPS is no longer optional. TLS certificates:
- protect confidentiality and integrity
- prevent browser warnings
- improve user trust and SEO
- are required by modern security expectations
Let’s Encrypt provides free, automated certificates, and Certbot is the recommended ACME client for managing them.
Prerequisites
Before running Certbot, ensure the following:
- A domain name pointing to your server
- Nginx installed and serving content
- Port 80 open (required for HTTP-01 validation)
- Administrative (sudo) access on the server
Installing and Running Certbot with Nginx
Certbot can automatically detect your Nginx configuration, update the server blocks, and apply HTTPS securely.
Run:
sudo certbot --nginx
During this process, Certbot will:
1. Detect your server blocks (virtual hosts) 2. Ask which domains you want to enable HTTPS for 3. Request a certificate from Let’s Encrypt 4. Update your Nginx configuration 5. Reload Nginx to apply the certificate
How the Nginx Plugin Works
The Certbot Nginx plugin:
- Parses the existing server blocks
- Inserts the correct 'listen 443 ssl;' directives
- References the certificate and private key
- Adds modern TLS settings, DH parameters, and HSTS (optional)
- Performs a reload, not a restart, to avoid downtime
Automatic Renewal
Certbot installs an automated renewal timer. You can test renewal manually:
sudo certbot renew --dry-run
Let’s Encrypt certificates renew every 90 days.
Troubleshooting
Nginx not detected
Certbot may not detect Nginx if:
- Nginx is not installed through standard paths
- Configuration files are in non-standard locations
- There is a parsing error in /etc/nginx/sites-enabled/*
HTTP‑01 validation fails
Common causes:
- Port 80 blocked by firewall
- Incorrect DNS records
- Multiple vhosts for the same domain
- Reverse proxies not passing requests correctly
Renewal fails intermittently
Often caused by:
- Temporary DNS outages
- Changing IPs without updating DNS
- Manual edits to Certbot-generated configuration
Best Practices
- Use the redirect option to enforce HTTPS
- Keep your Nginx configuration clean
- Avoid duplicating server blocks
- Separate www and non-www
- Monitor renewal logs in /var/log/letsencrypt/