Certificate management

Nginx-le automates the acquisition and renewal of certificates. However we also provide cli tooling to let you directly control certificate acquisition. The cli commands are primarily used by the nginx-le team to test nginx-le.

When configuring nginx-le you need to select the correct Certbot Auth provider based on:

1) public or private web server

2) your dns provider (for a private web server)

A public web server is one that is accessible on the web with a public ip address.

A private web server is one that is only visible on your internal private network.

Acquiring/Renewing certificates

Public Mode

Public mode is only suitable for web servers which are directly accessible on the internet.

To be considered directly accessible it MUST:

  • Be able to accept requests on a public IP address.

  • Both port 80 and 443 must be exposed on the above public IP address.

The public access can be via a NAT, proxy or other suitable mechanism.

If your Nginx-LE web server is in public mode then you can use the HTTP01Auth Auth Provider method unless you need a wildcard.

If you need to acquire a wild card certificate (*.nginx.com) then you must use one of the DNS auth methods.

There is no specific setting required on the Nginx-LE container for public mode, it simply limits which Auth Providers you can choose from.

Private Mode

Private mode is only suitable for any web servers but some Auth Providers don't support Private Mode servers.

A Private mode web server is one that doesn't isn't accessible from the public internet. A development, test or internal web server will typically be private.

A Private web server must still have port 443 open (but only visible locally -be that your dev PC or your office network) however port 80 is not required.

If your Nginx-LE web server is in private mode then you can NOT use the HTTP01Auth method. You must use one of the DNS Auth Providers.

You will still need to have a valid DNS entry for your web server on a public DNS provider that is supported by one of Nginx-LE's DNS Auth Providers.

The IP address of the DNS A record does not need to be valid and can be a private IP address. The IP address is not used.

Last updated