How do I configure Let's Encrypt with Nginx (Certbot) in Nginx?

Let's Encrypt provides free, automated SSL/TLS certificates trusted by all major browsers. Combined with the Certbot client, you can secure your Nginx server with HTTPS in minutes and automate the entire certificate renewal lifecycle. ### Installing Certbot bash # Ubuntu/Debian sudo apt update sudo apt install certbot python3-certbot-nginx # CentOS/RHEL sudo dnf install certbot python3-certbot-nginx ### Obtaining a Certificate The Nginx plugin automatically modifies your Nginx configuratio

Let's Encrypt with Nginx (Certbot)

Set up free automated SSL/TLS certificates from Let's Encrypt with Nginx using Certbot. Covers installation, auto-renewal, wildcard certs, and webroot.

Setup

Detailed Explanation

Let's Encrypt provides free, automated SSL/TLS certificates trusted by all major browsers. Combined with the Certbot client, you can secure your Nginx server with HTTPS in minutes and automate the entire certificate renewal lifecycle.

Installing Certbot

# Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx

# CentOS/RHEL
sudo dnf install certbot python3-certbot-nginx

Obtaining a Certificate

The Nginx plugin automatically modifies your Nginx configuration to add all necessary SSL directives:

sudo certbot --nginx -d example.com -d www.example.com

Certbot verifies domain ownership by temporarily serving a challenge file, then installs the certificate and configures an HTTP to HTTPS redirect automatically.

Webroot Mode

If you prefer to maintain full manual control over your Nginx configuration, use webroot mode instead. First, add a location block for the ACME challenge verification:

location /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

Then request the certificate without modifying the Nginx configuration:

sudo certbot certonly --webroot -w /var/www/certbot -d example.com

Manual SSL Configuration

After obtaining certificates via webroot mode, configure Nginx to use them manually:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

Automatic Renewal

Let's Encrypt certificates expire after 90 days by design to encourage automation. Certbot installs a systemd timer that automatically renews certificates before expiration:

# Verify renewal works correctly
sudo certbot renew --dry-run

# Check the renewal timer status
sudo systemctl status certbot.timer

Post-Renewal Hook

Nginx must be reloaded after certificate renewal to load the new certificate files into memory:

sudo certbot renew --deploy-hook "systemctl reload nginx"

Wildcard Certificates

Wildcard certificates that cover all subdomains require DNS-based validation instead of HTTP:

sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

For fully automated wildcard renewal, use a DNS provider plugin such as certbot-dns-cloudflare or certbot-dns-route53 that can programmatically create the required DNS TXT records without manual intervention.

Rate Limits

Let's Encrypt enforces rate limits of 50 certificates per registered domain per week. Always use the staging environment (--staging flag) during initial testing and development to avoid hitting production rate limits accidentally.

Use Case

You are setting up HTTPS for a new website and want free, automatically renewing SSL certificates without the cost and complexity of purchasing from a traditional certificate authority.

Try It — Nginx Config Generator

Open full tool →