Nginx SSL Certificate Renewal and Updates Let's Encrypt Auto-Renewal
Learn how to update Nginx for SSL certificate renewal, test auto-renewal, and handle certificate updates without downtime.
Nginx SSL Certificate Renewal and Updates
Let's Encrypt certificates expire every 90 days. This guide covers auto-renewal and updating Nginx.
How Auto-Renewal Works
Certbot installs a systemd timer that checks for renewal twice daily:
# Check the timer sudo systemctl list-timers | grep certbot # The timer runs: # certbot renew --quiet
When a certificate is within 30 days of expiry, certbot renews it and runs the deploy-hook to reload Nginx.
Testing Auto-Renewal
# Simulate renewal (doesn't actually renew) sudo certbot renew --dry-run # Expected output: # "Congratulations, all simulated renewals succeeded"
If this fails, auto-renewal won't work. Fix the issue before the certificate expires.
Manual Renewal
# Renew all certificates sudo certbot renew # Renew a specific domain sudo certbot renew --cert-name yourdomain.com
Reload Nginx After Renewal
# Set up the deploy hook sudo certbot renew --deploy-hook "systemctl reload nginx" # Or configure it permanently echo 'systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
Adding a New Domain to SSL
# Add a new domain to existing certificate sudo certbot --nginx -d new.yourdomain.com # Or create a new certificate sudo certbot --nginx -d new.yourdomain.com --cert-name new-domain
Updating SSL Configuration
server { listen 443 ssl http2; server_name api.yourdomain.com; # Updated SSL settings ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # Modern SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; }
Checking Certificate Expiry
# Check all certificates sudo certbot certificates # Check specific certificate echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates # Output: # notBefore=Jul 7 10:30:00 2026 GMT # notAfter=Oct 5 10:30:00 2026 GMT
Setting Up Expiry Alerts
# Create a script to check and alert sudo nano /usr/local/bin/check-ssl-expiry.sh
#!/bin/bash DAYS_THRESHOLD=30 domains=("api.yourdomain.com" "app.yourdomain.com") for domain in "${domains[@]}"; do expiry_date=$(echo | openssl s_client -connect "$domain:443" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2) expiry_epoch=$(date -d "$expiry_date" +%s) now_epoch=$(date +%s) days_left=$(( (expiry_epoch - now_epoch) / 86400 )) if [ "$days_left" -lt "$DAYS_THRESHOLD" ]; then echo "WARNING: $domain expires in $days_left days" fi done
sudo chmod +x /usr/local/bin/check-ssl-expiry.sh # Add to cron echo "0 9 * * * /usr/local/bin/check-ssl-expiry.sh" | sudo crontab -
The Takeaway
SSL certificate renewal is automatic with certbot. Test with certbot renew --dry-run, set up a deploy hook to reload Nginx after renewal, check expiry with certbot certificates, add new domains with certbot --nginx -d new.domain, and set up expiry alerts with a cron job. Modern SSL settings include TLSv1.2/1.3, strong ciphers, OCSP stapling, and HSTS.
Certbot sets up a systemd timer that runs 'certbot renew' twice daily. When a certificate is within 30 days of expiry, it renews automatically. Set up a deploy hook to reload Nginx: create /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh with 'systemctl reload nginx'. Test with certbot renew --dry-run.
Run sudo certbot renew --dry-run. This simulates the renewal process without actually renewing. If it succeeds, auto-renewal is working. If it fails, check the error message common issues are port 80 not accessible or Nginx config errors.
Set up a deploy hook: create /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh with 'systemctl reload nginx', make it executable. Or run 'sudo certbot renew --deploy-hook "systemctl reload nginx"'. The deploy hook runs automatically after each successful renewal.
Run 'sudo certbot certificates' to see all certificates with expiry dates. Or use 'echo | openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -dates' to check a specific domain. Set up a cron job to alert when certificates are within 30 days of expiry.
Run sudo certbot --nginx -d new.yourdomain.com. Certbot obtains the certificate and updates Nginx config automatically. For a separate certificate, use --cert-name. Ensure the subdomain's DNS A record points to your server before running certbot.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

