SSL certificates with NGINX Proxy Manager (IONOS or Hetzner)

Table of Contents

Introduction
#

I see a lot of people struggling with setting up https:// in their homelab - for some cases, you cant avoid it (for example Vaultwarden). With this guide you can automatically create and renew SSL Certificates for your homelab webserver with the help of Lets Encryt and the NGINX Proxy Manager.

Requirements
#

a domain you own
an account at Hetzner or IONOS
NGINX Proxy Manager

I won’t explain the setup of the NGINX Proxy Manager, there are plenty of guides you can find online (Official NGINX Proxy Manager setup).

DNS and API Token
#

Below you find the instructions for Hetzner or IONOS. Select your preferred provider.

Hetzner

First of all, we start in Hetzner. Log into your account and switch to the “DNS” section in the top right:
If you don’t already got your domain in the Hetzner DNS Console, set it up with “Add new zone:
Enter your DNS zone (in my example “torminal.com”) and click “continue”. You can leave “Auto scanning for records” activated.
Now Hetzner will scan for some time, until it is finished.
Click continue again - you will see “Verify ownershop for your domain”.
You have to add the name servers from hetzner to the hoster of your domain. Please look into guides for your specific hoster (something like: “{Name of hoster} add custom nameservers for domain”).
After that, your new zone is available in the DNS console and Hetzner is now the main DNS manager for your domain.
In the dashboard of the DNS Console, click on “Manage API tokens” - we need the token to set up Lets Encryt / certbot later.
Enter a name for your token in “Token name” and click on “Create Access Token”.
Safe the token securely.

IONOS

First of all, we start in IONOS. Log into your account.
If not already done, you need to get access to the IONOS API at IONOS API Shop
“Buy” the free API Add-On
Next go to the API key portal
Add a new key and give it a name (for example: “homelab”)
Safe the token securely.

NGINX Proxy Manager: Set up SSL Certificate
#

Open your NGINX Proxy Manager in the browser and login.
Switch to “SSL Certificates”.
Click on “Add SSL Certificate” on the top right.
Select “Lets Encrypt”.
Enter your domain name and an email address you want to use (required by Lets Encrypt).
Select “Use a DNS Challenge” a. As “DNS Provider” select the provider you used (IONOS or Hetzner). b. A new field “Credentials Fle Content” will pop up. c. Enter your API Token that you created in the beginning d. For IONOS you need the prefix and the key. Endpoint is filled for you:
```
dns_ionos_prefix = myapikeyprefix
dns_ionos_secret = verysecureapikeysecret
dns_ionos_endpoint = https://api.hosting.ionos.com
```
e. For Hetzner you just need your key:
```
dns_hetzner_api_token = verysecureapikeysecret
```
Example:
Confirm the Terms of service and click on save.
Now it will process for some time. The NGINX Proxy Manager will create a TXT DNS entry for your domain with the help of the API in Hetzner to validate the DNS challenge for Lets Encrypt. If you are interested, here are more informations about that challenge from the official Lets Encrypt Docs.
After the processing has (hopefully) succesfully finished, you have a new SSL Certificate in NGINX Proxy Manager, that you can use for your hosts.
NGINX Proxy Manager will renew the SSL Certificate automatically for you in the future (as long, as you dont delete it).

Fix issues
#

If you get an error in NGINX Proxy Manager when requesting the SSL Cert:

is your API Token correctly entered?
can the host NGINX Proxy Manager runs on reach the API service of Hetzner / IONOS?
- Hetzner: https://dns.hetzner.com/api/v1
- IONOS: https://api.hosting.ionos.com/dns
For Hetzner: did you successfully add your domain to the DNS console before and set the Hetzner nameservers at your domainhoster? You can test that by manually adding an entry in the DNS Console of Hetzner and use an online DNS lookup tool to check, if the record was successfully registered.