This is a description of my basic web server setup:

I use nginx web server and certbot for the Let’s Encrypt certificate generation. Let’s install those:

# zypper in nginx certbot

The nginx web server has its configuration in /etc/nginx directory. The main configuration file nginx.conf is in most cases fine as it.

The certbot will ask you for your e-mail address while being executed for the first time which I find usefull in case something goes wrong and the certificate is about to expire.

Nginx configuration snippets

I have two configuration snippets which I usually include into all of my virtual hosts.

  1. ssl.conf
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparams.pem 4096
# cat /etc/nginx/ssl.conf
ssl_dhparam ssl/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
  1. letsencrypt.conf
# mkdir /var/www/letsencrypt
# cat /etc/nginx/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
  allow all;

  default_type "text/plain";
  root /var/www/letsencrypt;

  access_log /var/log/nginx/letsencrypt.access.log;
  error_log /var/log/nginx/letsencrypt.error.log error;

location = /.well-known/acme-challenge/ {
  return 404;

Nginx virtual hosts

  1. For being able to get the certificate, we must have HTTP virtual host:
# cat /etc/nginx/vhosts.d/
server {
  listen 80;
  listen [::]:80;

  include letsencrypt.conf;

  access_log /var/log/nginx/;
  error_log /var/log/nginx/ error;
# systemctl reload nginx.service
  1. Now we can obtain the certificate from Let’s Encrypt:
# certbot certonly --webroot --noninteractive -w /var/www/letsencrypt/ -d -d
  1. We may now create the HTTPS virtual host which I usually do in the same file:
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;


  include ssl.conf;
  include letsencrypt.conf;
  ssl_certificate /etc/letsencrypt/live/;
  ssl_certificate_key /etc/letsencrypt/live/;

  access_log /var/log/nginx/;
  error_log /var/log/nginx/ error;

4a) If HTTP to HTTPS redirection is needed we may add this:

return 301 https://$host$request_uri;

4b) If we wanna server static files (e.g. Hugo generated site):

index index.html;
root /var/www/;
try_files $uri $uri/ =404;

4c) For proxying traffic to the external software, another server or container:

location / {
  proxy_http_version 1.1;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";

Let’s Encrypt auto renewal systemd timer

  1. For the systemd-timer auto renewal we need .timer file and .service file:
# cat /etc/systemd/system/certbot-renewal.service
Description=Certbot Renewal

ExecStart=/usr/bin/certbot renew --post-hook "systemctl reload nginx"

# cat /etc/systemd/system/certbot-renewal.timer
Description=Timer for Certbot Renewal


  1. Now we need to enable and start this timer:
# systemctl enable --now certbot-renewal.timer
  1. We may check the status of the timer by those commands:
# systemctl list-timers
NEXT                          LEFT                LAST                                PASSED       UNIT                         ACTIVATES
Sat 2021-05-08 14:42:49 CEST  6 days left         Sat 2021-05-01 14:42:49 CEST        36min ago    certbot-renewal.timer        certbot-renewal.service
# journalctl -u certbot-renewal.service
May 01 14:42:49 witbier systemd[1]: Started Certbot Renewal.
May 01 14:50:26 witbier certbot[20717]: Processing /etc/letsencrypt/renewal/
May 01 14:50:25 witbier certbot[20717]: Cert not yet due for renewal


This setup is in my opinion very clean and easy to maintain. Of course I use special options for special cases but the base looks always like this.