Nginx Proxy GuardNginx Proxy Guard

SSL/TLS Certificate Management

Strengthen security through automated certificate management.

Let's Encrypt Automation

Automatic Issuance

  • ACME v2 protocol support
  • Wildcard certificate issuance via DNS-01 challenge
  • Multi-domain (SAN) certificate support

Automatic Renewal

  • Renewal timing: Automatic renewal 30 days before expiration
  • Check interval: Expiration checked every 6 hours
  • Renewal history: All renewal attempts are recorded

Staging Mode

Provides a test environment to avoid Let's Encrypt rate limits.

# .env configuration
ACME_STAGING=true  # Staging (test)
ACME_STAGING=false # Production

DNS Provider Support

A variety of DNS providers are supported for the DNS-01 challenge.

Supported Providers

ProviderConfiguration Fields
CloudflareAPI Token (recommended) or Global API Key + Email, Zone ID (optional)
Route53 (AWS)Access Key ID, Secret Access Key, Region (optional), Hosted Zone ID (optional)
DuckDNSToken
DynuAPI Key
ManualNo credentials required (add the TXT record manually)

Note: These five are the DNS-01 providers actually selectable in the NPG UI. NPG uses go-acme/lego under the hood, and lego itself supports dozens of DNS providers, but NPG currently exposes only Cloudflare, Route53, DuckDNS, Dynu, and Manual.

Provider Configuration

  1. Create a DNS provider
  2. Enter API credentials
  3. Test the credentials
  4. Set as default provider (optional)

Credential Testing

Test the connection before saving the provider to confirm the configuration is correct.

Custom Certificates

Certificate Upload

You can upload and use an existing certificate.

  • Certificate (cert.pem): Server certificate
  • Private Key (key.pem): Private key file
  • Chain Certificate (chain.pem): Intermediate certificate (optional)

Self-Signed Certificates

Generate a self-signed certificate for test environments.

  • Specify the domain
  • Set the validity period
  • Generate instantly

HTTP/3 (QUIC) Support

Protocol Support

ProtocolStatusFeatures
HTTP/1.1SupportedBaseline compatibility
HTTP/2Enabled by defaultMultiplexing, header compression
HTTP/3SupportedUDP-based, fast connections

HTTP/3 Configuration

HTTP/3 uses UDP port 443.

# docker-compose.yml
ports:
  - "443:443/tcp"   # HTTP/1.1, HTTP/2
  - "443:443/udp"   # HTTP/3 (QUIC)

Certificate Monitoring

Expiration Checks

  • View certificates expiring within 30 days
  • Dashboard notifications
  • Email notifications (when configured)

Certificate Status

StatusDescription
ValidOperating normally
Expiring SoonExpires within 30 days
ExpiredCertificate has expired
Renewal FailedAutomatic renewal failed

Renewal History

All certificate issuance and renewal history is recorded.

  • Issuance/renewal time
  • Success/failure status
  • Error message (on failure)

TLS Security Settings

Protocol Versions

  • Only TLS 1.2 and higher allowed
  • TLS 1.0/1.1 disabled (security vulnerabilities)

Cipher Suites

Only strong encryption algorithms are allowed.

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384

OCSP Stapling

  • Optimizes certificate status checks
  • Reduces client latency
  • Enabled by default

HSTS (HTTP Strict Transport Security)

Enforces the use of HTTPS.

SettingDescription
max-ageHSTS validity period (seconds)
includeSubDomainsInclude subdomains
preloadRegister on the HSTS Preload List

Post-Quantum TLS

NPG supports hybrid key exchange to protect against future quantum-computer attacks. It combines a classical (elliptic-curve) key exchange with a post-quantum algorithm (ML-KEM), defending against "harvest now, decrypt later" attacks where traffic captured today is decrypted with a quantum computer in the future.

How It Works

NPG includes X25519MLKEM768 in the ssl_ecdh_curve setting by default. Because this is a hybrid (X25519 + ML-KEM-768) construction, classical clients that do not support ML-KEM automatically negotiate a classical curve such as X25519 and still connect normally.

ssl_ecdh_curve X25519MLKEM768:X25519:secp256r1:secp384r1;

How to Enable

You can adjust the value in the ECDH Curve field of the global SSL settings. The default is:

X25519MLKEM768:X25519:secp256r1:secp384r1

Curves earlier in the list are preferred during negotiation, so keeping X25519MLKEM768 first means supported clients use the post-quantum hybrid key exchange.

Requirements

ItemRequirement
ServerOpenSSL 3.5 or later (bundled with the NPG build)
ClientA modern browser/client that supports ML-KEM hybrid key exchange
Unsupported clientsAutomatically fall back to a classical curve (connection preserved)

Note: Because the exchange is hybrid, clients without post-quantum support continue to work. There is no need to disable it — keeping the default is recommended.

Troubleshooting

Certificate Issuance Failure

  1. Check DNS settings

    • Verify the domain points to the server IP
    • Wait for DNS propagation (up to 48 hours)
  2. Check DNS provider credentials

    • Verify API token permissions
    • Zone edit permission is required
  3. Check rate limits

    • Check whether the Let's Encrypt rate limit has been reached
    • Test with staging mode first
  4. Check logs

    docker logs npg-api | grep -i cert
    

Renewal Failure

  1. Check the DNS provider connection status
  2. Check whether the API token has expired
  3. Verify domain ownership

SSL Errors

  • ERR_CERT_INVALID: Check certificate validity
  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH: Check TLS settings
  • ERR_CERT_DATE_INVALID: Check certificate expiration