Certbot/nginx clarifications

My web server is (include version): nginx / 1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: DigitalOcean

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.4.0

I am looking for clarification on initial setup and renewal of certificates.

When running sudo certbot –nginx my nginx ssl server block is modified adding certificates as expected but my non ssl block is also modified redirecting all non ssl traffic to ssl server block which is not desired but not a major issue as it's easy to edit out.

My understanding is that if I want auto renewal setup where nginx's configuration will be reloaded on renewal of certificate then I need to include the –nginx option or else I must manually setup renewal hooks - is this correct?

If –nginx option is specified on initial setup. When the certificate is auto-renewed will my non ssl server block be modified as it was in initial setup or will nginx only be reloaded? i.e, will the forced redirection of non-ssl to ssl be reinserted (this will be undesirable)?

On initial setup, what are implications of running with both certonly and –nginx sudo certbot certonly –nginx? Do I just need to edit server block and update certificate paths? Are is this not a good idea.

Finally, currently my renewable parameters (in /etc/letsencrypt/renewal/) show

authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Does this mean that on renewal that nginx will automatically receive reload signal? I ask as nowhere do I see actual hook issuing reload command.


Yes, the nginx installer will do that for you.

There's an option to prevent Certbot from adding a redirect. Although I don't see why that would be a problem?

Yup, either the nginx installer will reload nginx or you need to add the reload command to the --deploy-hook.

Only reloaded on renewal. The adding of the redirect takes place at the first issuance, not at renewal.

The combination certonly and --nginx makes Certbot use the nginx authenticator and probably lets you select hostnames from the nginx configuration, but does not modify the nginx configuration permanently.


I assume that snap run ... certbot.renew referred to in snap.certbot.renew.service automatically handles the nginx reload directly and that I shouldn't be seeing any entries in `/etc/letsencrypt/renewal-hooks/<deploy, pre, post> folders (not anywhere else)?

1 Like





This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.