Configure Nginx-LE

Use the nginx-le config command to configure you Nginx-LE container.

When you run config, Nginx-LE will destroy and create a new container with the new settings.

When running nginx-le config you will prompted to answer a no. of questions


Enter the fully qualified domain name of your nginx-le host.



Enter the top level domain (TLD) for your nginx-le host.






Enter the web servers mode. This is either public or private.

A public web server is one that can be reached (directly or via NAT etc) via a public ip address.

A private web server is one that can only be reached via a private ip address.

Wildcard or FQDN

Nginx-le allows you to acquire a wild card certificate (* or a FQDN certificate (

You should only use a wild card certificates if you have multiple web servers running of the same domain.

Certbot normally expects you to manually distribute wildcard certificates within your own organisations so the wild card option is only usable with nginx-le in limited circumstances.


Lets you choose the type of certificate to acquire.

Select production to get a production certificate.

Select staging to get a staging/test certificate.

Use this staging option if you are destroying/recreating your web server during testing. Certbot has hard limits on the no. of production certificates you can acquire per day (5 per day) where you can get a far larger no. of staging certificates.

Auth Providers

To acquire a LetsEncrypt certificate you must be able to prove that you own the domain for which the certificate is being issued.

Nginx-LE supports a number of Certbot Authentication methods (Auth Providers).

Auth Provider

Usage Case



For a public web server using a FQDN certificate.

Your web server must be accessible on a public ip address. This is the simplest form of validation as it works with any DNS provider. Port 80 must be open.


For public and private web servers. Supports FQDN and wildcard certificates.

The most flexible auth provider, your DNS must be hosted with Cloudflare.


For public and private web servers. Supports FQDN and wildcard certificates.

Not recommended. The namecheap api is dangerous and currently limited to domains that have no more than 10 A records.

Content Provider

The configure command lets you set how the content is to be served.

Nginx-LE supports four types of Content Providers




Serve static web content from a local folder.

Generic Proxy

Pass requests through to a Web Application server that can respond to HTTP requests. This is normally on the same host as the Nginx-LE server as the connection is not encrypted.

Tomcat Proxy

Pass requests to a local Tomcat web application server on port 8080.


Allows you to configure your own Nginx location and upstream settings.

Static Content Provider

The static Content Provider allows you to serve static content from a local directory (e.g. index.html)

The Static Content Provider will request the path to your static content and the default html file.

Generic Proxy Content Provider

The Generic proxy Content Provider allows you to proxy requests through to a web application server.

The Nginx-LE container exposes the secure HTTPS connection and then passes all requests through to your web application server via HTTP.

Please note that normally you need to select a port other than 80 as Nginx-LE needs to accept requests on port 80 for certificate acquisition and renewals.

Tomcat Proxy Content Provider

Designed to work with the java based Tomcat Web application Server.

The Tomcat proxy allows you to configure the port and context the Tomcat server operates on.

Custom Content Provider

The Custom Content Provider allows you to configure your own Location and Upstream files.

Location of nginx include files

By default nginx-le configures nginx to look for files in /opt/nginx/include on the host system. Change the path to have nginx-le load the include files from a different directory.

Paused Mode

The start paused option is mainly used by the Nginx-LE team for diagnosing startup issues.

When you place Nginx-LE into start paused mode it will not start the nginx server nor attempt to acquire a certificate.

Once you start Nginx-LE in paused mode you can attach to the Nginx-LE docker container and explore its configuration.

You can connect to the Nginx-LE container (even when not in paused mode) by running nginx-le cli.

Errors are notified via email

Enter an email address where errors are emailed to.

SMTP Server

The FQDN of your SMTP Server which will be used to notify errors.

SMTP Server Port

The Port of your SMTP Server which will be used to notify errors.

Start Method

Select the method by which you are going to start Nginx-LE



nginx-le start

The simplest method. nginx-le config will create a container. Use nginx-le start and nginx-le stop to start/stop the container.

docker start/run

nginx-le config will create a container. Use docker start and docker stop to start/stop the container.


docker-compose up will create and start the container. See the section on docker-compose for details

The config command saves each of the entered settings so that you don't have to pass them when running other commands.

Select the nginx-le image

Allows you to choose which version of nginx-le docker image to run. Mostly you should choose 'latest'.

Last updated