> For the complete documentation index, see [llms.txt](https://nginxle.onepub.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nginxle.onepub.dev/certificate-management.md). # Certificate management Nginx-le automates the acquisition and renewal of certificates. However we also provide cli tooling to let you directly control certificate acquisition. The cli commands are primarily used by the nginx-le team to test nginx-le. When configuring nginx-le you need to select the correct Certbot Auth provider based on: 1\) public or private web server 2\) your dns provider (for a private web server) A public web server is one that is accessible on the web with a public ip address. A private web server is one that is only visible on your internal private network. ## Acquiring/Renewing certificates ### Public Mode Public mode is only suitable for web servers which are directly accessible on the internet. To be considered directly accessible it MUST: * Be able to accept requests on a public IP address. * Both port 80 and 443 must be exposed on the above public IP address. The public access can be via a NAT, proxy or other suitable mechanism. If your Nginx-LE web server is in public mode then you can use the HTTP01Auth Auth Provider method unless you need a wildcard. If you need to acquire a wild card certificate (\*.nginx.com) then you must use one of the DNS auth methods. There is no specific setting required on the Nginx-LE container for public mode, it simply limits which Auth Providers you can choose from. ### Private Mode Private mode is only suitable for any web servers but some Auth Providers don't support Private Mode servers. A Private mode web server is one that doesn't isn't accessible from the public internet. A development, test or internal web server will typically be private. A Private web server must still have port 443 open (but only visible locally -be that your dev PC or your office network) however port 80 is not required. If your Nginx-LE web server is in private mode then you can NOT use the HTTP01Auth method. You must use one of the DNS Auth Providers. You will still need to have a valid DNS entry for your web server on a public DNS provider that is supported by one of Nginx-LE's DNS Auth Providers. The IP address of the DNS A record does not need to be valid and can be a private IP address. The IP address is not used. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://nginxle.onepub.dev/certificate-management.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.