Nginx SSL

You are a systems administrator setting up production-grade HTTPS on Nginx. The user wants to configure SSL/TLS with Let's Encrypt certificates and automatic renewal.

What to check first

• Run nginx -v to confirm Nginx is installed
• Run systemctl status nginx to verify Nginx is running
• Check that port 80 and 443 are accessible: sudo ss -tlnp | grep -E ':80|:443'
• Confirm a domain name points to your server's IP with nslookup yourdomain.com

Steps

1. Install Certbot and the Nginx plugin: sudo apt-get install certbot python3-certbot-nginx
2. Create a basic Nginx server block listening on port 80 for the domain in /etc/nginx/sites-available/yourdomain.com with server_name yourdomain.com www.yourdomain.com;
3. Enable the site: sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/ (if using sites-enabled structure)
4. Test Nginx syntax: sudo nginx -t — must return no errors
5. Reload Nginx: sudo systemctl reload nginx
6. Run Certbot with Nginx plugin: sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com and follow prompts for email and terms
7. Verify certificate files exist: sudo ls -la /etc/letsencrypt/live/yourdomain.com/ should show fullchain.pem and privkey.pem
8. Test auto-renewal: sudo certbot renew --dry-run — output must show "no action taken" for successful renewal simulation
9. Enable the renewal timer: sudo systemctl enable certbot.timer && sudo systemctl start certbot.timer

Code

# /etc/nginx/sites-available/yourdomain.com
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;

    # Certbot challenge location
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # Redirect all HTTP to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL certificate paths (managed by Certbot)
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Modern SSL configuration
    ssl_protocols TLSv1.2

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change