Hi @kkoenen,
You can use Certbot or acme.sh. It's possible that certbot --nginx
will do everything that you want based on your current configuration (it would be good to see what it does wrong, if not).
Basically the configuration that you'll eventually want to get to (whether via certbot --nginx
or hand-editing your configuration) is creating a new nginx server block listening on port 443 and configured with your private key and chain. This server block can then do the same proxy_pass
that your current port 80 server block does.
You'll then want to have a new port 80 server block which takes any request and rewrites the request to its https://
equivalent via a 301 redirect message. (certbot --nginx
can do this for you, if it works.)
During the certificate validation process, your site will need to serve challenge files from /.well-known/acme-challenge
via HTTP on port 80. certbot --nginx
can add a temporary server block which does this in order not to have to make a permanent change to your nginx configuration.
Alternatively, you can add an additional rule to your existing server block so that /.well-known/acme-challenge
is served out of a directory on the filesystem, rather than being proxy_pass
ed to a different server. In that case certbot --webroot
would be able to work. Or you could add a rule that /.well-known/acme-challenge
requests are proxy_pass
ed to a different port and then use certbot --standalone --http-01-port
followed by that port number.
I hope one of these options will work well for you.