ContextQMD
Back to Infisical

Nginx with Certbot

docs/documentation/platform/pki/guides/applications/nginx-certbot.mdx

0.160.18.3 KB
Original Source

Set up automatic TLS certificates for your Nginx server using Infisical and Certbot. Certbot requests and renews certificates automatically from Infisical's ACME server.

<Info> This guide assumes you have an Application with [ACME enrollment](/documentation/platform/pki/applications/enrollment-methods/acme) configured. </Info>

Prerequisites

  • An Nginx web server running on Linux with administrative access
  • An Application in Infisical with ACME enrollment configured
  • Network connectivity from your Nginx server to Infisical
  • Port 80 open for HTTP-01 validation

Guide

<Steps> <Step title="Get ACME Credentials from Infisical"> In your Application, go to the **Settings** tab and find the **Certificate Profiles** section. Click **Configure** on the profile with ACME enrollment, then click **Reveal ACME EAB** to view the credentials: 
    | Credential | Purpose |
    |------------|---------|
    | **ACME Directory URL** | The URL Certbot uses to communicate with Infisical |
    | **EAB Key Identifier (KID)** | Identifies your ACME account |
    | **EAB Secret** | Authenticates your ACME client |

    <Note>
        Keep your EAB credentials secure. They authenticate your ACME client with Infisical and are unique to each enrollment.
    </Note>
</Step>

<Step title="Install Certbot">
    Install Certbot on the server where Nginx is running by following the official Certbot [installation guide](https://certbot.eff.org/instructions).

    The installation guide provides up-to-date instructions for various Linux distributions and package managers, ensuring you get the most current version and proper Nginx plugin integration.

    After installation, you can verify that Certbot has been installed correctly by running:

    ```bash
    certbot --version
    ```
</Step>

<Step title="Request Certificate Using Certbot">
    Run the following command to request a certificate from Infisical:

    ```bash
    sudo certbot certonly \
      --nginx \
      --server "https://your-infisical-instance.com/api/v1/cert-manager/acme/applications/{application-id}/profiles/{profile-id}/directory" \
      --eab-kid "your-eab-key-identifier" \
      --eab-hmac-key "your-eab-secret" \
      -d example.infisical.com \
      --email [email protected] \
      --agree-tos \
      --non-interactive
    ```

    For guidance on each parameter:

    - `certonly`: Instructs Certbot to request a certificate without modifying and reloading your Nginx configuration file(s); this mode is recommended if you prefer to manage your Nginx TLS configuration manually, use automation tools, or integrate certificates into an existing deployment workflow.
    - `--nginx`: Specifies the Nginx plugin so Certbot can solve the [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge by creating temporary files served by Nginx.
    - `--server`: The Infisical ACME directory URL from Step 1. This instructs Certbot to communicate with Infisical's ACME server instead of Let's Encrypt.
    - `--eab-kid`: Your External Account Binding (EAB) Key Identifier from Step 1.
    - `--eab-hmac-key`: The EAB secret associated with the KID from Step 1.
    - `-d`: Specifies the domain name for which the certificate is being requested.
    - `--email`: The contact email for expiration notices and account recovery.
    - `--agree-tos`: Accepts the ACME server’s Terms of Service.
    - `--non-interactive`: Runs Certbot without prompting for user input (recommended for automation).

    The Certbot command generates a private key on your server, creates a Certificate Signing Request (CSR) using that key, and sends the CSR to Infisical for certificate issuance. Certbot stores the private key and resulting leaf certificate and full certificate chain in `/etc/letsencrypt/live/{domain-name}/`.

    If `--certonly` is used: Certbot does **not** modify your Nginx configuration, so you must manually update your Nginx server block to reference the new certificate files and reload the server to apply the changes.

    Here's how you can configure your server block:

    ```nginx
    server {
        listen 443 ssl;
        server_name example.infisical.com;

        ssl_certificate     /etc/letsencrypt/live/example.infisical.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.infisical.com/privkey.pem;

        # ...your existing configuration...
    }

    ```

    After updating the server block, you should test and reload Nginx to apply the changes:

    ```bash
    sudo nginx -t
    sudo systemctl reload nginx
    ```

    If `--certonly` was **not** used: Certbot uses Nginx installer mode, which attempts to automatically configure HTTPS by updating your Nginx server block and reloading the server if needed.

    At this point, your Nginx server should be successfully serving HTTPS using the certificate issued by Infisical.
</Step>

<Step title="Verify Certificate Installation">
    After configuring Nginx SSL, verify that your certificate was issued correctly and Nginx is serving it properly.

    Check that the certificate files were created by Certbot:

    ```bash
    sudo ls -la /etc/letsencrypt/live/example.infisical.com/
    ```

    You should see files like:
    - `cert.pem` (your certificate)
    - `chain.pem` (certificate chain)
    - `fullchain.pem` (certificate + chain)
    - `privkey.pem` (private key)
</Step>

<Step title="Renew Your Certificate with Certbot">
    Certbot automatically installs a `systemd` timer during installation. This timer runs twice per day and checks whether any certificates are due for renewal. Because Certbot stores the ACME server URL and EAB credentials from your initial request, renewal will automatically use the same Infisical ACME configuration—no additional settings are required.

    Note that Certbot automatically renews certificates when they are within 30 days of expiration; renewal settings can be adjusted in `/etc/letsencrypt/renewal/{domain-name}.conf`.

    ```ini
    # ... your existing configuration ...

    renew_before_expiry = 30 days
    ```

    To test the renewal process, run the following command:

    ```bash
    sudo certbot renew --dry-run
    ```

    This command simulates the full renewal process without modifying your active certificate. If the dry run succeeds, automatic renewal will work as expected.

    To trigger an actual renewal immediately, run the following command:

    ```bash
    sudo certbot renew --force-renewal
    ```

    Note that after a certificate is renewed, Nginx must be reloaded so it can begin using the new certificate. To do this, run the following command:

    ```bash
    systemctl reload nginx
    ```

    To automate the process of renewing a certificate and reloading Nginx, you can create a simple deploy hook that Certbot will run after every successful renewal.

    Inside `/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh`, add the following:

    ```bash
    #!/bin/sh
    systemctl reload nginx
    ```

    Then make the hook executable:

    ```bash
    sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
    ```

</Step>
</Steps>

What's Next?

<CardGroup cols={2}> <Card title="Apache with Certbot" icon="server" href="/documentation/platform/pki/guides/applications/apache-certbot"> Set up ACME for Apache web servers. </Card> <Card title="Certificate Syncs" icon="arrows-rotate" href="/documentation/platform/pki/applications/certificate-syncs/overview"> Push certificates to cloud destinations. </Card> <Card title="Alerting" icon="bell" href="/documentation/platform/pki/applications/alerting/overview"> Get notified when certificates are about to expire. </Card> <Card title="ACME Enrollment" icon="robot" href="/documentation/platform/pki/applications/enrollment-methods/acme"> Learn more about ACME enrollment configuration. </Card> </CardGroup>