plenty of hacks - home

NGINX + certbot = auto-renewing TLS/SSL magic

Please allow me to show you a super-sweet setup. I have used this setup several times now and it has proven to be a simple and effective way to get sites up and running with A+ TLS configuration and auto-renewing certificates.

All of this is based upon Debian 10, but I am sure your favorite distribution will be very similar.


First let's get some base requirements installed:

apt update
apt upgrade
apt install nginx certbot

Make your nginx site config and symlink it.

Important note: Comment-out the 2nd server block in your nginx config until you have the certificate generated.

Contents of /var/nginx/sites-available/

server {

    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge/ {
        root /var/www/;
        try_files $uri =404;

    # I suggest un-commenting this line
    # to force redirects after your initial
    # TLS certificate.
    #return 301 https://$host$request_uri;

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;

    try_files $uri @proxy;

    location @proxy {
        proxy_pass http://localhost:3000;


Symlink your site configuration:

ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Restart nginx:

systemctl restart nginx

Run certbot to get your certificates:

certbot certonly --webroot --webroot-path /var/www/ -d -d --expand

Generate strong parameters for maximum TLS security:

openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096


Now you can un-comment the 2nd server block in your nginx site configuration and restart nginx in order to enable TLS.

Restart nginx:

systemctl restart nginx

Test your site at SSL Labs and hopefully you see an A+ score!

One more thing.

Make sure you renew your certificate on a regular basis. I renew my certificates by entering a crontab like such (as root):

0 0 * * * certbot renew