Bare bones example of nginx & acme-tiny with auto-renewal

monthly-renewal.sh

#!/bin/bash

# Should be set to run monthly as a cron job

# If the renewal fails abort immediately
set -o errexit

LOG_FILE="/var/log/acme.log"

# Perform the actual renewal, logging the output and saving the certificate
(runuser --user acme --group acme -- acme-tiny \
  --account-key /var/lib/acme/private/account.key \
  --csr /var/lib/acme/csr/nginx.csr \
  --acme-dir /var/www/challenges/) > /var/lib/acme/certs/nginx.crt 2>> ${LOG_FILE}

# Copy the updated certificate into place
cat /var/lib/acme/certs/nginx.crt /var/lib/acme/lets-encrypt-x3-cross-signed.pem > /etc/nginx/nginx.crt

# Only restart nginx if it's actually running
if systemctl -q is-active nginx.service; then
  systemctl restart nginx.service &> /dev/null
fi

nginx.conf

# Minimal snippet from nginx.conf
http {
  server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;
    root /var/www/default;

    location /.well-known/acme-challenge/ {
      alias /var/www/challenges/;
      try_files $uri =404;
    }
  }
  
  server {
    listen 443 default_server;
    listen [::]:443 default_server;
    
    server_name _;
    root /var/www/default;
    
    ssl on;
    ssl_certificate /etc/nginx/nginx.crt;
    ssl_certificate_key /etc/nginx/nginx.key;

    location /.well-known/acme-challenge/ {
      alias /var/www/challenges/;
      try_files $uri =404;
    }
}