Skip to main content
torminal - blog
  1. Posts/

Hetzner/IONOS: Automate renewal of free SSL Certificates with NGINX Proxy Manager

·662 words·4 mins· loading · loading ·
Table of Contents

I see a lot of people struggling with setting up https:// in their homelab - for some cases, you cant avoid it (for example Vaultwarden). With this guide you can automatically create and renew SSL Certificates for your homelab webserver with the help of Lets Encryt and the NGINX Proxy Manager.

If you want to use certbot instead of NGINX Proxy Manager, read this blog post: SSL certificates with certbot (IONOS or Hetzner).

Requirements
#

  • a domain you own
  • an account at Hetzner or IONOS
  • NGINX Proxy Manager

I won’t explain the setup of the NGINX Proxy Manager, there are plenty of guides you can find online (Link: Official NGINX Proxy Manager setup).

DNS and API Token
#

Below you find the instructions for Hetzner or IONOS. Select your preferred provider.

Hetzner

This guide got updated to the new “Hetzner Console”, “Hetzner DNS” will be discontinued by Hetzner (https://dns.hetzner.com).

  1. First of all, we start in Hetzner. Log into your account and switch to the “Console” section on the top right. It is also available at https://console.hetzner.com/projects
  2. Open your existing project or create a new one, if you dont have one yet.
  3. Switch to “DNS” at “Networking” on the right.
  4. If you don’t already got your domain in the Hetzner Console, set it up with “Add new zone”:
  5. hetzner-dns-2.
  6. Enter your DNS zone (in my example “torminal.com”) and click “continue”.
  7. You have to add the name servers from hetzner to the hoster of your domain. Please look into guides for your specific hoster (something like: “{Name of hoster} add custom nameservers for domain”).
  8. After that, your new zone is available in the DNS console and Hetzner is now the main DNS manager for your domain.
  9. In the dashboard of the Console, click on “Security”.
  10. In “Security” choose “API-Tokens” and “Add API-Token” on the top right:
  11. hetzner-api-1
  12. Enter a name for your token in “Description”, choose “Read and write” permissions and click on “Create Access Token”.
  13. Safe the token securely.

IONOS
  1. First of all, we start in IONOS. Log into your account.
  2. If not already done, you need to get access to the IONOS API at IONOS API Shop
  3. “Buy” the free API Add-On
  4. Next go to the API key portal
  5. Add a new key and give it a name (for example: “homelab”)
  6. Safe the token securely.

NGINX Proxy Manager: Set up SSL Certificate
#

  1. Open your NGINX Proxy Manager in the browser and login.
  2. Switch to “Certificates”.
  3. nginx-1
  4. Click on “Let’s Encrypt via DNS” on the top right.
  5. Enter your domain name you want to use
  6. Select “Use a DNS Challenge” a. As “DNS Provider”, choose your chosen provider (Hetzner Cloud or IONOS) b. A new field “Credentials Fle Content” will pop up. c. Enter your API Token that you created in the beginning from Hetzner or IONOS as required from NGINX Proxy Manager.
  7. nginx-2
  8. Confirm the Terms of service and click on save.
  9. Now it will process for some time. The NGINX Proxy Manager will create a TXT DNS entry for your domain with the help of the API to validate the DNS challenge for Lets Encrypt. If you are interested, here are more informations about that challenge from the official Lets Encrypt Docs.
  10. After the processing has (hopefully) succesfully finished, you have a new SSL Certificate in NGINX Proxy Manager, that you can use for your hosts.
  11. NGINX Proxy Manager will renew the SSL Certificate automatically for you in the future (as long, as you dont delete it).

Fix issues
#

If you get an error when requesting the SSL Cert:

  • is your API Token correctly entered and safed?
  • can your server reach the API service of Hetzner / IONOS?
  • For Hetzner: did you successfully add your domain to the DNS console before and set the Hetzner nameservers at your domainhoster? You can test that by manually adding an entry in the DNS Console of Hetzner and use an online DNS lookup tool to check, if the record was successfully registered.
torminal
Author
torminal
IT enthusiast
Windows: move locked EFI partition Skrädda: Pegboard Generator for 3D Printing

Related

Homelab management with a telegram chatbot
594 words·3 mins· loading · loading
This project gives you the possibility to run shell commands on a linux host from a telegram bot. WakeOnLan-Support, get status of services and more!
Windows: move locked EFI partition
436 words·3 mins· loading · loading
Guide on how to move the EFI partition in Windows when it blocks extending another partition.
Zabbix Template: Monitor Wordpress updates of multiple websites
251 words·2 mins· loading · loading
Monitoring of available Wordpress updates (Core, Plugins and Themes) with Zabbix, to stay secured. Scans all available Websites in the /var/www directory on your host!