HTTPS is Working, but Wondering if I Did it Correctly

I generated a cert using with the following syntax: /home/User_1/ --issue --dns dns_gd -d -d

This created a .cer and .key, among a few other files in /home/User_1/

In my nginx /etc/nginx/sites-available/my_site config file, I simply pointed to the .cer and .key in /home/User_1/

Is this correct? The documentation says something about issuing the cert to nginx, but I didn’t fully understand it, and this seemed to work.

1 Like

In you are meant to break this up into two steps: issuing and installing.

The first part - issuing - you’ve already done. That was --issue.

Part two - installing - is shown in the README:

So you will want to do something like:

/home/User_1/ --install-cert -d \
--key-file       /etc/nginx/  \
--fullchain-file /etc/nginx/ \
--reloadcmd     "service nginx force-reload"

Modify your nginx configuration to use the private key and certificate from /etc/nginx/ and /etc/nginx/ respectively, and then reload nginx one more time.

The main thing this achieves is to reload nginx as necessary when the certificate renews … but you’re also not really supposed to directly use the key and certificate files from inside /home/User_1/, which is why the installation involves copying them elsewhere.


After I do the --install cert, in the future, will the default acme cronjob install the new renewed cert and reload nginx when it runs? Or do I need to create a cron script to do the --install and reload part?

1 Like

Yep, that’s exactly the idea. It will remember how to install the certificate during the existing cronjob and you don’t need to schedule it separately.


Thanks again, everything worked well.

Wondering what the best approach is to have my non-root user’s cron be able to restart the nginx.service. The user is in sudoers but obviously still needs to type in the password to restart the service. (Or am I wrong in assuming that the cron job will need to restart nginx each time the cert updates?)

1 Like

The simple solution would be to run as root.

If you are comfortable giving User_1 the ability to non-interactively reload nginx, perhaps, you can add this to /etc/sudoers:

User_1 ALL = (root) NOPASSWD: /usr/sbin/service nginx force-reload

and re-run your --install-cert command, but changing the --reloadcmd to include sudo.


Thanks. I guess I misunderstood the docs when it told me not to use sudo, and thought they also meant not to use root. Obviously those two things are pretty different so I shouldn’t have assumed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.