Example: Certbot with NGINX using HTTP-01 Domain Validation

This guide provides a complete example of using Certbot with NGINX to obtain and install a certificate using HTTP-01 domain validation.

Prerequisites

ACME Directory URL created
NGINX installed and running
Certbot installed
Domain name pointing to your server
Port 80 open and accessible
Root or sudo access to the server

Step 1: Install Certbot NGINX Plugin

sudo apt install python3-certbot-nginx

Step 2: Configure NGINX for HTTP-01 Validation

Certbot will automatically configure NGINX for HTTP-01 validation, but you need to ensure your NGINX configuration includes the server block for your domain:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;

    location / {
        root /var/www/html;
        index index.html;
    }
}

Where can I find my site config?
On most Debian-based systems like Ubuntu, site-specific NGINX configurations are placed in /etc/nginx/sites-available/ and enabled by creating a symbolic link in /etc/nginx/sites-enabled/. For example, a config file for yourdomain.com would typically be located at /etc/nginx/sites-available/yourdomain.conf and symlinked to sites-enabled/ to activate it.

On Red Hat-based distributions (like CentOS or AlmaLinux), site configurations are usually added directly in /etc/nginx/nginx.conf or included via files inside /etc/nginx/conf.d/.

Step 3: Run Certbot with NGINX Plugin

sudo certbot --nginx \
    --server https://one.digicert.com/mpki/api/v1/acme/v2/directory \
    --eab-kid YOUR_EAB_KEY_ID \
    --eab-hmac-key YOUR_EAB_HMAC_KEY \
    -d yourdomain.com \
    -d www.yourdomain.com

Note: Replace YOUR_EAB_KEY_ID, YOUR_EAB_HMAC_KEY, and yourdomain.com with your actual values.

🖥️ Sample Terminal Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Registering without email!

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/yourdomain.com

Successfully received certificate.
Certificate saved at:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key saved at:
  /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2025-05-30.
Certbot has configured automatic renewal.

Why is the certificate path under /etc/letsencrypt/?
Although GeoCerts ACME certificates are issued by DigiCert or GeoTrust (not Let's Encrypt), Certbot is originally designed for Let's Encrypt and defaults to storing all ACME-issued certificates in the /etc/letsencrypt/ directory. This is simply a file system convention and does not indicate which Certificate Authority issued the certificate. You can safely use this directory for GeoCerts ACME certificates.

Once the certificate is successfully issued, you can log in to your GeoCerts CertCommand Management Console to view the new certificate order. You’ll see details like the order ID, domain name, certificate status, cost, and expiration date—all updated in real time. This provides a convenient way to track and manage your ACME-issued certificates alongside your other orders.

Step 4: Verify NGINX Configuration

Certbot will automatically:

Obtain the certificate
Configure NGINX to use the certificate
Set up automatic redirects from HTTP to HTTPS
Configure certificate auto-renewal (defaults to 30 days before expiration)

Verify your NGINX configuration:

sudo nginx -t

If the test is successful, reload NGINX:

sudo systemctl reload nginx

Step 5: Test HTTPS Access

Visit your domain in a web browser using https:// to verify the certificate is working correctly.

Automatic Renewal

Certbot automatically sets up a systemd timer to renew certificates before they expire. You can verify the timer is active:

sudo systemctl status certbot.timer

🖥️ Sample Terminal Output:

certbot.timer - Run certbot twice daily
Loaded: loaded (/usr/lib/systemd/system/certbot.timer; enabled; preset: enabled)
Active: active (waiting) since Wed 2025-04-30 09:20:07 UTC; 3 days ago
Trigger: Sat 2025-05-03 13:57:13 UTC; 4h 4min left
Triggers: ● certbot.service

Troubleshooting

Common Issues:

Port 80 Blocked: Ensure port 80 is open and accessible for HTTP-01 validation
NGINX Configuration: Check for syntax errors in your NGINX configuration
File Permissions: Ensure Certbot has proper permissions to modify NGINX configuration
Domain Resolution: Verify your domain correctly resolves to your server’s IP

For more help, refer to the Certbot documentation .

Next Steps

← Back to Workflow Overview