This is a short post on using Let’s Encrypt to get TLS certificates for NGINX virtual hosts. The setup assumes:

  • Ubuntu
  • NGINX hosting multiple domains
  • A scheduler (e.g., cron or Rundeck)

Let’s Encrypt

Let’s Encrypt offers free domain-validated (DV) certificates for HTTPS and other secure services.

Initial Setup

I run multiple web services on VMs behind a single public IP. My NGINX proxy manages SSL termination and routing using virtual host configs.

Goals:

  • Quickly add new sites/domains
  • Let the proxy manage SSL termination
  • Handle renewals automatically
  • Use config snippets for reusable sections

Configuring NGINX

Install the letsencrypt package, which provides the /usr/bin/letsencrypt binary.

Create the challenge snippet at /etc/nginx/snippets/letsencrypt.conf:

location '/.well-known/acme-challenge' {
    default_type    "text/plain";
    root            /tmp/letsencrypt-auto;
}

Include it in relevant server blocks:

include /etc/nginx/snippets/letsencrypt.conf;

Creating a New Site

For a new domain (e.g. letsencrypt.mbwarez.dk), create its config at: /etc/nginx/sites-enabled/letsencrypt.mbwarez.dk

server {
    listen 80;
    server_name letsencrypt.mbwarez.dk;

    # SSL config (commented out until certs exist)
    #ssl_certificate         /etc/letsencrypt/live/letsencrypt.mbwarez.dk/fullchain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/letsencrypt.mbwarez.dk/privkey.pem;

    include                 /etc/nginx/snippets/letsencrypt.conf;
    include                 /etc/nginx/snippets/hpkp-sts.conf;

    root /var/www/letsencrypt.mbwarez.dk;
}

Now run:

/usr/bin/letsencrypt certonly --text --non-interactive --keep \
  --email certificate-admin@mbwarez.dk \
  --webroot --webroot-path=/tmp/letsencrypt-auto \
  -d letsencrypt.mbwarez.dk

Let’s Encrypt will verify the domain by fetching a file under /.well-known/acme-challenge. If successful, the certificate will be saved in: /etc/letsencrypt/live/letsencrypt.mbwarez.dk/

Now uncomment the SSL lines in your config and restart NGINX:

server {
    listen 80;
    listen 443 ssl;
    server_name letsencrypt.mbwarez.dk;

    ssl_certificate         /etc/letsencrypt/live/letsencrypt.mbwarez.dk/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/letsencrypt.mbwarez.dk/privkey.pem;

    include                 /etc/nginx/snippets/letsencrypt.conf;
    include                 /etc/nginx/snippets/hpkp-sts.conf;

    root /var/www/letsencrypt.mbwarez.dk;
}

Renewal Script

Let’s Encrypt certificates expire every 90 days. Here’s a script I run weekly (via cron) to renew all certs:

#!/bin/bash
DIR=/tmp/letsencrypt-auto
TOOL=/usr/bin/letsencrypt

mkdir -p $DIR

function updatecert() {
    DOMAIN=$1
    echo "UPDATING cert for $DOMAIN"
    $TOOL certonly --text --non-interactive --keep \
        --email certificate-admin@mbwarez.dk \
        --webroot --webroot-path=$DIR \
        -d $DOMAIN
}

updatecert blog.mbwarez.dk
updatecert cygwin.mbwarez.dk
updatecert letsencrypt.mbwarez.dk
updatecert mbwarez.dk
updatecert plex.mbwarez.dk
updatecert scm.mbwarez.dk

echo "RESTARTING nginx"
service nginx configtest && service nginx reload
exit $?

Final Thoughts

Adding new domains is simple—just include them in this script and restart NGINX. Certificates are automatically renewed, and the proxy config stays clean and modular.

Secure, scriptable, and scalable.