Certbot - Install Certificate in Nginx

From PiRho Knowledgebase
Revision as of 13:20, 14 March 2026 by Dex (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This article explains how to obtain and install free Let’s Encrypt TLS certificates on an Nginx server using Certbot. It covers the prerequisites, the installation process, how the Nginx plugin works, and what to expect during renewal.

Certbot provides an automated, secure, repeatable method for enabling HTTPS on Linux web servers.

Context

When deploying a public-facing website or API, HTTPS is no longer optional. TLS certificates:

  • protect confidentiality and integrity
  • prevent browser warnings
  • improve user trust and SEO
  • are required by modern security expectations

Let’s Encrypt provides free, automated certificates, and Certbot is the recommended ACME client for managing them.

Prerequisites

Before running Certbot, ensure the following:

  • A domain name pointing to your server
  • Nginx installed and serving content
  • Port 80 open (required for HTTP-01 validation)
  • Administrative (sudo) access on the server

Installing and Running Certbot with Nginx

Certbot can automatically detect your Nginx configuration, update the server blocks, and apply HTTPS securely.

Run:

sudo certbot --nginx

During this process, Certbot will:

1. Detect your server blocks (virtual hosts) 2. Ask which domains you want to enable HTTPS for 3. Request a certificate from Let’s Encrypt 4. Update your Nginx configuration 5. Reload Nginx to apply the certificate

How the Nginx Plugin Works

The Certbot Nginx plugin:

  • Parses the existing server blocks
  • Inserts the correct 'listen 443 ssl;' directives
  • References the certificate and private key
  • Adds modern TLS settings, DH parameters, and HSTS (optional)
  • Performs a reload, not a restart, to avoid downtime

Automatic Renewal

Certbot installs an automated renewal timer. You can test renewal manually:

sudo certbot renew --dry-run

Let’s Encrypt certificates renew every 90 days.

Troubleshooting

Nginx not detected

Certbot may not detect Nginx if:

  • Nginx is not installed through standard paths
  • Configuration files are in non-standard locations
  • There is a parsing error in /etc/nginx/sites-enabled/*

HTTP‑01 validation fails

Common causes:

  • Port 80 blocked by firewall
  • Incorrect DNS records
  • Multiple vhosts for the same domain
  • Reverse proxies not passing requests correctly

Renewal fails intermittently

Often caused by:

  • Temporary DNS outages
  • Changing IPs without updating DNS
  • Manual edits to Certbot-generated configuration

Best Practices

  • Use the redirect option to enforce HTTPS
  • Keep your Nginx configuration clean
  • Avoid duplicating server blocks
  • Separate www and non-www
  • Monitor renewal logs in /var/log/letsencrypt/

References