If you try to obtain SSL using sudo certbot --nginx -d mydomain.com -d www.mydomain.com, you might bump into the following error due to tls-sni challenge disabled.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
NOTE: The above problem can be solved by Upgrading Cerbot to 0.21.1.
Alternatively, you can setup ssl for nginx using --authenticator webroot.
First, setup nginx to handle /.well-known/acme-challenge/* request.
Multiple domains can share their acme-challenge in the same location, either in /usr/share/nginx/letsencrypt or /var/www/letsencrypt.
server {
...
location /.well-known/acme-challenge/ {
root /usr/share/nginx/letsencrypt;
}
}Restart nginx.
sudo service nginx restartExecute certbot to use --authenticator webroot.
sudo certbot --authenticator webroot --webroot-path /usr/share/nginx/letsencrypt -d www.mydomain.comNote: the authenticator will create authentication files at /usr/share/nginx/letsencrypt/.well-known/acme-challenge/* and access http://www.mydomain.com/.well-known/acme-challenge/* to retrieve such file for authentication.
Note: /usr/share/nginx/letsencrypt/.well-known/acme-challenge/ is deleted automatically after authentication, whether success or fail.