NGINX & Certbot
NGINX (pronounced "engine-x") is a high-performance, open-source web server and reverse proxy server. It's known for its efficient handling of web traffic and its ability to serve as a load balancer. NGINX is widely used to improve website performance, security, and scalability. It can also function as a proxy server for applications and offers features like SSL/TLS termination, caching, and content delivery. NGINX is popular for its speed and reliability in serving web content.
Installation
Install the dependencies:
sudo apt update
sudo apt install curl gnupg2 ca-certificates lsb-release lsof psmisc -y
Import an official Nginx signing key:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null
Ensure that the downloaded file contains the correct key
gpg --dry-run --quiet --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
Now, proceed to set up the APT repository for stable Nginx packages:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
Install NGINX:
sudo apt install nginx -y
Launch test
Check the NGINX service status; it may be inactive initially
sudo systemctl status nginx
Start the service:
sudo systemctl start nginx.service
To test the setup, open your browser and enter localhost in the URL bar, or type it in your terminal
curl localhost
You should receive a successful message like the one below
Output
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Once verified, stop NGINX. Certbot will start and reload it automatically during SSL configuration:
sudo systemctl stop nginx.service
Configuration
Navigate to the configuration directory:
cd /etc/nginx/conf.d
You may find the file default.conf. You can rename it or create the files rpc.conf and api.conf
sudo mv default.conf rpc.conf
sudo nano rpc.conf
sudo nano api.conf
Copy the following template into the rpc.conf and replace mynodename with your domain
rpc.conf
server {
server_name rpc.sentinel.mynodename.com;
location / {
proxy_pass http://127.0.0.1:26657;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
listen [::]:80;
listen 80;
}
Copy the following template into the api.conf and replace mynodename with your domain
api.conf
server {
server_name api.sentinel.mynodename.com;
location / {
proxy_pass http://127.0.0.1:1317;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
}
listen [::]:80;
listen 80;
}
Certbot & SSL
Install the NGINX Certbot plugin:
sudo apt install python3-certbot-nginx -y
Allow HTTP and HTTPS through the firewall:
sudo ufw allow 80,443/tcp
Run Certbot to automatically configure HTTPS and automatically reload NGINX:
sudo certbot --nginx
You will be prompted to:
- add your email
- accept terms and conditions
- Press Enter to select all the listed domains (rpc and api)
Validate NGINX Configuration
Optional: Skip this section if you haven’t changed any NGINX configs since running sudo certbot --nginx.
Check the configuration syntax:
sudo nginx -t
If the test is successful, reload NGINX to apply changes cleanly:
sudo systemctl reload nginx
If anything goes wrong, check the logs:
sudo tail -n 50 /var/log/nginx/error.log
If you encounter no errors, you can finally test whether your RPC is now public:
https://rpc.sentinel.mynodename.com
Renew an SSL Certificate
Optional: Certbot automatically handles SSL renewal and NGINX reloads. Use this section only if you want to verify the process manually.
If you want to verify that everything is working correctly, you can:
- Check the systemd timer that triggers automatic renewals:
systemctl status certbot.timer
Expected output
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled)
Active: active (waiting) since Thu 2025-12-04 23:22:57 UTC; 28min ago
Trigger: Fri 2025-12-05 01:21:39 UTC; 1h 30min left
Triggers: ● certbot.service
If you see this, automatic renewal is already configured.
- Perform a simulated renewal (safe test that does not replace your certificates):
sudo certbot renew --dry-run
Expected output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.sentinel.mynodename.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for api.sentinel.mynodename.com and rpc.sentinel.mynodename.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/api.sentinel.mynodename.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This optional step ensures that:
- Certificates can be renewed
- NGINX reload works
- No configuration errors are present
- This test does not replace your certificates.