Letsencrypt + nginx + autorenewal + Infrastructure as code?


Our infrastructure is managed by Ansible (including nginx site configuration - they are generated using templates).

Now we generate letsencrypt certificates by certbot command automatically each 3 months, but we have ~1 minute downtime (we have to stop nginx, to bind certbot standalone to 80).

How Letsencrypt + nginx integration for autorenewal can be made?

I have found some solutions like How to setup Let’s Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SLL rating) but they use python-certbot-nginx which modifies site configs (and they will be replaced by Ansible on next Ansible run, so HTTPS will be broken).


I find Certbot’s “modifies the config” characteristic unsuitable for configuration management as well, but you can use it in certonly mode to avoid that.

How I approach it is like this:

1. Have Ansible generate a self-signed certificate / keypair (for when the server is being boostrapped), and point some symlinks at them for the webserver to use.
2. Have Ansible configure the web server initially to proxy requests for /.well-known/acme-challenge to another port (in my case since I use acmetool, I send it to port 402).
3. Have Ansible invoke the ACME client in its standalone mode (so it binds to port 402 or whatever), and the certificate should be successfully issued. This action should be idempotent (should do nothing if the certificate exists and is not expiring).
4. Once that step 3 is complete, have Ansible update the symlinks to the production certificate and reload the web server.

At this stage, we have a web server configured with a live certificate and the ACME client’s cronjob takes care of the rest without disrupting the web server.

It’s not the most elegant thing ever but I set it up this way a few years ago and it’s yet to fail me.


If you use “certbot certonly --nginx”, Certbot modifies the Nginx configuration momentarily for the validation, but it doesn’t make any permanent changes. That shouldn’t be an issue, if you want to go that route.


The best option is to use DNS certbot plugin.

  1. You don’t need to bind the port.
  2. You don’t need to generate self-signed certificates for nginx for first launch before first letsencript certificate is created.
  3. Wildcards.


I use Letsencrypt - and I’ve never created a self-signed certificate.

And the http-01-challenge can be used without changing the configuration of the webserver. It’s enough to copy the validation file.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.