I just wanted to add:
-
You absolutely want nginx to terminate the SSL connection and just have node handle http
-
Since you’re using nginx and familiar with proxypass, you can create another proxypass for the “./well-known” directory on all your nginx port 80 domains, and then run certbot on an alternate port for validation. You’ll still need to do a (graceful) restart of nginx to activate the new cert, but that will let you run the renewal automatically without downtime.
I posted the full commands and setup in this comment last month: Ideas about how to automate initial configuration of certificates