How to configure custom nginx for renewal

My web server is a custom nginx build that I need to configure and run manually (OS is Ubuntu 18.04). I got a certificate via certbot --standalone because the --nginx option didn’t work (somewhat expected given that my setup probably violates that script’s many assumptions).

I would like to know if it is possible to configure nginx manually, ideally with command like certbot renew --nginx that I can put in cron, but that only creates whatever files it needs to serve from my www root dir for authentication and then performs the authentication itself and renews the certificate, but specifically that doesn’t try to mess with my nginx config files or tries to restart my server.

Is there any way I can do that?
Thanks.

Normally, Certbot does need to be able to reload or restart your server: Nginx normally reads certificates at startup or when reloaded. After Certbot renews a certificate, Nginx has to be reloaded or restarted so that it will use the new certificate.

Is Nginx listening on port 80? Can you use Certbot’s webroot plugin? Certbot would just write a file to a given location, and you would have to configure Nginx to serve it. Certbot wouldn’t directly interact with Nginx.

For example, if Nginx is configured to use /var/www/foo as the root directory, you could issue a certificate by using:

sudo certbot certonly --deploy-hook "service nginx reload" --webroot -w /var/www/foo -d example.com -d www.example.com

That would use the webroot plugin and also have Certbot reload Nginx after renewing your certificate (and also the first time, I think). The nginx plugin wouldn’t be involved.

If Nginx is not listening on port 80, you could continue to use the standalone plugin (and also a hook to reload it). Even if it is listening on port 80, you could use the standalone plugin with the --http-01-port option and have Nginx proxy_pass /.well-known/acme-challenge/ to Certbot.

Hi, thanks for the short reply. I was just configuring webroot and testing it. Seems to work fine, so sorry for the noise, looks like webroot is exactly what I needed, I should’ve RTFM more carefully. And thanks for the tip on --deploy-hook, I’ll try that too.