It is possible to customize what certbot adds to a nginx vhost conf after issuing a certificate?

When I run certbot --nginx, these configuration values are added to the site's /etc/nginx/sites-available/example.conf file:

listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Is there a way to tell certbot to use a specific template when generating this? For example, I would like to also include ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem so that I can use OCSP stapling.

It would also be nice if certbot could continue to manage these values, e.g., so if the path to /etc/letsencrypt/live/example.com/chain.pem changes, it would update that value for the ssl_trusted_certificate config in the nginx vhost conf file.

Does this feature exist?

(BTW, is there a Discord or Slack server for discussing Let's Encrypt?)

Hi @com,

No, this is hardcoded inside

There is a file meant for user configuration called options-ssl-nginx.conf, but this is mainly meant for configuring nginx-wide options like ciphersuites, and doesn't have any templating for making configurations specific to an individual certificate.

You could potentially script something yourself with Certbot's --deploy-hook feature.

Alternatively, you could open an issue with a feature request at

1 Like

Thanks @schoen,

Do you know if the config lines added will ever be modified by certbot during future executions, and for which reasons? The comment “managed by Certbot” imply these lines should not be touched because certbot is…well…managing them. Will there be any ill effect to changing these lines, e.g. replacing this:

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

with this:

include snippets/ssl.conf;

?

I presume if certbot only adds these lines, and will never touch them again in the future, they would have the comment “added by Certbot”. :thinking:

I think that's the intended interpretation, and I don't know if there are any plans for Certbot to actually modify them.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.