Nginx and Certbot (Let's Encrypt) Serve a site over HTTPS on your HolyCloud VPS with Nginx and automatic Let's Encrypt certificates via Certbot. ~15 min read Intermediate #nginx #certbot #ssl #letsencrypt Nginx and Certbot (Let's Encrypt) Pair Nginx (web server / reverse proxy) and Certbot to obtain free Let's Encrypt certificates with automatic renewal on your HolyCloud Linux VPS. Prerequisites HolyCloud VPS with Ubuntu/Debian, sudo access Domain name pointing to the VPS IP (A / AAAA record in DNS) Ports 80 and 443 open (UFW + HolyCloud panel) Site or at least a server_name ready to respond Step 1: install Nginx sudo apt update sudo apt install -y nginx sudo systemctl enable --now nginx curl -I http://127.0.0.1 Step 2: basic virtual host Replace www.example.com with your domain: sudo nano /etc/nginx/sites-available/example.com server { listen 80; listen [::]:80; server_name example.com www.example.com; root /var/www/example.com/html; index index.html index.htm; location / { try_files $uri $uri/ =404; } } sudo mkdir -p /var/www/example.com/html echo '<h1>HolyCloud VPS</h1>' | sudo tee /var/www/example.com/html/index.html sudo ln -sf /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx Step 3: install Certbot (Nginx plugin) sudo apt install -y certbot python3-certbot-nginx Step 4: obtain certificate sudo certbot --nginx -d example.com -d www.example.com --agree-tos -m [email protected] --redirect Certbot updates the vhost to listen on 443 and redirects HTTP → HTTPS if --redirect is used. Safe renewal (dry-run): sudo certbot renew --dry-run The certbot.timer systemd timer handles automatic renewal: systemctl list-timers | grep certbot Step 5: recommended TLS headers (optional) After first issuance, harden the SSL block in the generated vhost (example): ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; sudo nginx -t && sudo systemctl reload nginx Verification sudo certbot certificates curl -sI https://example.com | grep -E 'HTTP/|strict-transport' openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates Browser: valid padlock, Let's Encrypt chain. HolyCloud help Challenge failed: check DNS (propagation), port 80 reaches the VPS (no CDN proxy blocking HTTP-01) Too many requests: Let's Encrypt rate limit — wait or use staging certbot --staging HolyCloud support: domain, VPS IP, sudo certbot renew --dry-run and nginx -t output Continue reading Previous article Network diagnostics with MTR Read Next article Nginx reverse proxy Read
FR