Drop-in configuration files and setup scripts for Certbot. An A+ on SSL Labs and an A on SecurityHeaders.io — the same day you ship.
We'll template example.com through every command below.
Plain bash scripts. Plain Nginx config files. Read them top to bottom in five minutes. No DSL, no operator, no agent.
--deploy-hook, no cron.Certbot's systemd timer runs certbot renew twice a day. Bubbly's hook reloads Nginx on success. Set it. Forget it.
Stapling, perfect forward secrecy, modern ciphers, strict transport — the whole battery. The defaults match Mozilla's "Modern" profile.
CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy. Include directive/bubbly_security-headers.conf in your server block, get the SecurityHeaders A.
Certbot and acme.sh are great. They just don't ship the Nginx config you actually want. Bubbly does — plus the headers, plus the ticket rotation, plus the renewal hook.
| Bubbly | Certbot, raw | acme.sh | Caddy | |
|---|---|---|---|---|
| Issues Let's Encrypt certs | ||||
| Auto-renews on a timer | systemd | cron | ||
| Nginx config that scores A+ | bring your own | bring your own | own server | |
| Persistent ticket key | ||||
| Security headers pack | optional | manual | ||
| Stays vanilla — no daemon | replaces Nginx | |||
| Read the source in 5 min | bash + conf | Python | Go binary |
Bubbly composes with Certbot — it doesn't replace it. The scripts wrap
certbot certonly --webroot and rsync battle-tested config blocks into /etc/nginx/.
You'll need basic Nginx familiarity. You won't need to know Certbot, Let's Encrypt, the ACME spec, or how SSL works underneath.
Drop into $HOME, grab the dependencies, pull the repo.
One-time per server. It is slow on purpose — the entropy is the point.
Mirrors the repo's nginx-config/ into /etc/nginx/ — conf.d/, directive/, location/, groups/, and sites-available/ all land in place.
Place the ACME challenge site so Let's Encrypt can find you.
example.com with your domain.Symlink it live, lint, reload.
It will ask for the root password and an email. Then it's done in a few seconds.
certbot renew twice daily. The deploy hook reloads Nginx after every successful renewal. No cron, no babysitting.Add the HTTPS site alongside the HTTP one you already have. Keep example.com_http.conf symlinked — it answers ACME renewal challenges forever. Read the [OPTION]s and [WARNING]s; point the cert paths at your domain.
That's it. The next time Let's Encrypt rotates your cert, Nginx will
reload itself. The next time you run nginx -t, it will pass.
Go test it ↓
Tested against SSL Labs and SecurityHeaders.io with the defaults shipped in the repo — no extra tuning.
Strict-Transport-SecurityContent-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsReferrer-PolicyPermissions-Policy