Notifications
Let’s Encrypt

Let’s Encrypt

Let’s Encrypt provides free, trusted TLS certificates. Using a trusted certificate is the most reliable way to ensure iOS can fetch snapshots for rich notifications.

Certificates are typically valid for 90 days, so renewal must work.

Quick start (most common)

If you can expose port 80 on the machine running Nginx, use HTTP-01 with Nginx. It is the simplest and most automated option.

If you cannot expose ports (CGNAT, VPN-only, no inbound access), use DNS-01.

Step 0: Choose how you will validate

Option A: HTTP-01 (simple, requires port 80)

Use this if your server can be reached on port 80.

You need:

  • A DNS record for nvr.example.com pointing to your server
  • Port 80 reachable from the internet (temporarily is fine for issuance)

Option B: DNS-01 (works even behind CGNAT)

Use this if you cannot expose port 80/443 publicly (for example, VPN-only deployments).

You need:

  • Access to create DNS TXT records for your domain
  • A plan for renewal (manual DNS-01 renewals can be easy to forget)

Option A: HTTP-01 with Nginx (recommended when possible)

Step 1: Install certbot

sudo apt update
sudo apt install -y certbot python3-certbot-nginx

Step 2: Request the certificate

sudo certbot --nginx -d nvr.example.com

Certbot will update your Nginx config and reload Nginx.

Step 3: Test renewal (do this once)

sudo certbot renew --dry-run

Tip: On Debian/Ubuntu, certbot often installs a systemd timer automatically. Still, always run a dry-run test once so you know renewal works before you forget about it.

Option B: DNS-01 (manual)

Step 1: Install certbot

sudo apt update
sudo apt install -y certbot

Step 2: Request the certificate

sudo certbot certonly --manual \
  --preferred-challenges dns \
  -d nvr.example.com

Certbot will prompt you to create a TXT record under _acme-challenge.

Step 3: Verify and install into Nginx

Once issued, update your Nginx config to reference:

  • /etc/letsencrypt/live/nvr.example.com/fullchain.pem
  • /etc/letsencrypt/live/nvr.example.com/privkey.pem

Then reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

Option B (automation note): provider DNS plugins

If you use a DNS provider supported by certbot plugins (for example Cloudflare DNS), you can often automate DNS-01 renewals. This is worth considering if you cannot use HTTP-01 and you want “set it and forget it” renewal behavior.

Common mistakes (and what they look like)

  • Certificate issued for the wrong hostname
    • iOS shows missing images, or you see TLS errors, even though “HTTPS works” in some places
  • DNS record points to the wrong machine
    • Certbot fails issuance, or Safari loads a different service than you expected
  • Renewal not tested
    • Everything works for weeks, then suddenly breaks when the cert expires
Last updated on December 17, 2025
Nginx (HTTPS)Tailscale (VPN)