π Install Free SSL (Let’s Encrypt) for domain.tld on ISPmanager with NGINX
π§ Introduction
This guide walks you through installing a free SSL certificate from Let’s Encrypt on a server running ISPmanager with NGINX. We’ll use Certbot in standalone mode to obtain the certificate, then configure NGINX to serve the site over HTTPS.
β Prerequisites
- A valid domain (e.g.
domain.tld,www.domain.tld) pointed to your server’s IP. - Root SSH access.
- ISPmanager installed.
- NGINX as your active web server (default in ISPmanager).
βοΈ Step-by-Step Guide
1. Update Package List & Install Certbot
apt update && apt install certbot -y
2. Stop NGINX Temporarily (for standalone validation)
systemctl stop nginx
3. Obtain SSL Certificate via Certbot
certbot certonly --standalone -d domain.tld -d www.domain.tld --agree-tos --email [email protected] --non-interactive
βοΈ Certbot will store the certificates at:
- Certificate:
/etc/letsencrypt/live/domain.tld/fullchain.pem - Private Key:
/etc/letsencrypt/live/domain.tld/privkey.pem
4. Start NGINX Again
systemctl start nginx
5. Locate Your Domainβs NGINX Config
grep -Ri "server_name domain.tld" /etc/nginx/
Example output might be:
/etc/nginx/vhosts/www-root/domain.tld.conf
6. Edit the Virtual Host Configuration
Open the config:
vim /etc/nginx/vhosts/www-root/domain.tld.conf
Inside the server block for port 443 ssl, add or verify:
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
π‘ Also add an HTTP redirect block (if not present):
server {
listen 80;
server_name domain.tld www.domain.tld;
return 301 https://$host$request_uri;
}
7. Test and Reload NGINX
nginx -t && systemctl reload nginx
βοΈ You should see:
nginx: configuration file /etc/nginx/nginx.conf test is successful
8. Verify in Browser
Visit:
https://domain.tld
You should see the padlock icon indicating the site is secure.
π Certificate Auto-Renewal
Certbot installs an auto-renew cron job. You can test it with:
certbot renew --dry-run
π§° Notes for ISPmanager
- If the ISPmanager panel fails to issue Let’s Encrypt, using Certbot CLI is a reliable alternative.
- Manual configuration of SSL paths in NGINX is required when skipping the panel.
- Use the panel only for basic management; CLI gives you more control and logging.