Use Certbot to Issue a Digital Certificate for Your Site / Nginx

Published: 2024-06-20 | Updated: 2024-06-13
Posts Enable a Site in Nginx Docker Disk Maintenance One-Command PiHole Update Boilerplate Nginx Config File Certbot TLS with Nginx Domain Validation Challenges with Certbot List In-Use Docker Ports Hugo Static vs Assets Folders Hugo Docker Development Environment Golang Slugify Function Hugo Remove List Duplicates Loop Variable Captured by Func Literal Golang Friendly Date Converter Hugo Install on MacOS One-Liner to Update PiHole Page Folder Name Google Tags to Hugo Site Debounced Scroll-To-Top Button Hugo Custom 404 Page Reboot or Power Down Ubuntu System Apache Cheatsheet Ubuntu Apache Global Servername Customize Hugo Page Type Hugo Most Recent Posts Hugo Most Recently Updated Posts Digital Certificates with Certbot Site Content Best Practices Ubuntu Certbot Install Sample Apache vhost.conf

First of all, Certbot requires that DNS for your domain resolves to the IP address of the server where Certbot is being run before a certificate can be issued. This is because the certificate issuance process involves domain validation, where the Certificate Authority (CA) must verify that you control the domain.

So once you have your site in place and successfully serving unsecured content via http (as opposed to https), you’re ready to get your TLS certificate installed.

Issuing a TLS Certificate with Certbot and Nginx

Using Nginx as a reverse proxy, the HTTP-01 challenge is the easiest and most common method used by Certbot. This requires the domain to resolve to the server where Certbot and Nginx are running, so the CA can reach it and verify domain ownership.

Steps to Ensure Successful Certificate Issuance with Nginx

  1. Update DNS Records:

    • Ensure that your domain’s A/AAAA records point to the IP address of your server.
    • Allow some time for DNS propagation, which can vary from a few minutes to several hours.

  2. Verify DNS Resolution:

    • Use tools like dig or nslookup to verify that your domain resolves to the correct IP address:

      dig yourdomain.com
nslookup yourdomain.com

  3. Configure Nginx for Certbot:

    • Make sure Nginx is running and properly configured to handle HTTP-01 challenges by creating a server block1 that serves the .well-known/acme-challenge directory:

      server {
    listen 80;
    server_name yourdomain.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

  4. Run Certbot with Nginx Plugin:

    • Use the Certbot Nginx plugin to automatically configure Nginx and obtain the certificate:

      sudo certbot --nginx -d yourdomain.com

By ensuring that DNS resolves correctly and Nginx is properly configured (or DNS records are updated for DNS-01), Certbot will be able to complete the domain validation process and issue your SSL certificate. If you encounter issues, double-check your DNS settings, Nginx configuration, and ensure that there are no propagation delays.

  1. Nginx server blocks: Keep your nginx config files readable by declaring multiple server blocks. All blocks will be interpreted, and each will define a specific virtual server to handle client requests. You can have as many server blocks as you need and have each one handle a specific connection or set of connections. ↩︎

certbot nginx tls ubuntu