Use Certbot to Issue a Digital Certificate for Your Site / Nginx

Published: 2024-06-20 | Updated: 2024-06-13

First of all, Certbot requires that DNS for your domain resolves to the IP address of the server where Certbot is being run before a certificate can be issued. This is because the certificate issuance process involves domain validation, where the Certificate Authority (CA) must verify that you control the domain.

So once you have your site in place and successfully serving unsecured content via http (as opposed to https), you’re ready to get your TLS certificate installed.

Issuing a TLS Certificate with Certbot and Nginx

Using Nginx as a reverse proxy, the HTTP-01 challenge is the easiest and most common method used by Certbot. This requires the domain to resolve to the server where Certbot and Nginx are running, so the CA can reach it and verify domain ownership.

Steps to Ensure Successful Certificate Issuance with Nginx

  1. Update DNS Records:

    • Ensure that your domain’s A/AAAA records point to the IP address of your server.
    • Allow some time for DNS propagation, which can vary from a few minutes to several hours.
  2. Verify DNS Resolution:

    • Use tools like dig or nslookup to verify that your domain resolves to the correct IP address:

  3. Configure Nginx for Certbot:

    • Make sure Nginx is running and properly configured to handle HTTP-01 challenges by creating a server block1 that serves the .well-known/acme-challenge directory:

      server {
          listen 80;
          location /.well-known/acme-challenge/ {
              root /var/www/certbot;
  4. Run Certbot with Nginx Plugin:

    • Use the Certbot Nginx plugin to automatically configure Nginx and obtain the certificate:

      sudo certbot --nginx -d

By ensuring that DNS resolves correctly and Nginx is properly configured (or DNS records are updated for DNS-01), Certbot will be able to complete the domain validation process and issue your SSL certificate. If you encounter issues, double-check your DNS settings, Nginx configuration, and ensure that there are no propagation delays.

  1. Nginx server blocks: Keep your nginx config files readable by declaring multiple server blocks. All blocks will be interpreted, and each will define a specific virtual server to handle client requests. You can have as many server blocks as you need and have each one handle a specific connection or set of connections. ↩︎