How to issue an SSL certificate with Certbot for Nginx

Obtain a free SSL/TLS certificate from Let's Encrypt and automatically configure HTTPS on an Nginx web server using Certbot's --nginx plugin.

Prerequisites

• Ubuntu or Debian server with Nginx installed and running
• A domain name pointing to the server's public IP address (A record in DNS)
• Port 80 open in the firewall ( UFW: sudo ufw allow 'Nginx Full')
• Certbot installed ( sudo snap install --classic certbot)

Step-by-Step: Issue an SSL Certificate with Certbot for Nginx

1. Run Certbot with the Nginx Plugin

Certbot's --nginx flag handles certificate issuance and Nginx configuration automatically:

sudo certbot --nginx -d example.com -d www.example.com

Certbot performs the HTTP-01 ACME challenge by temporarily modifying the Nginx configuration to serve a validation token on port 80. Let's Encrypt verifies domain ownership by fetching this token.

2. Certbot Configures Nginx for HTTPS Automatically

Certbot modifies the Nginx server block to add ssl_certificate, ssl_certificate_key, and redirect directives. Certbot also adds an HTTP-to-HTTPS redirect.

3. Verify HTTPS Is Working

Open https://example.com in a browser or test with cURL:

curl -I https://example.com

The response should show HTTP/2 200 with no certificate errors.

How to Verify the Certificate Details

Inspect the installed certificate with OpenSSL:

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates -subject

Common Issues When Issuing Certificates with Certbot for Nginx

Certbot shows "Some challenges have failed"— Port 80 is not reachable from the internet. Verify UFWallows HTTP: sudo ufw allow 80/tcp. See Certbot: Some challenges have failed.

Certbot shows "The requested nginx plugin does not appear to be installed"— Certbot was installed via snap but the Nginx plugin was installed via apt, or vice versa. Reinstall both from the same source. See Certbot: nginx plugin not installed.