Configure SSL with Let's Encrypt

Let's Encrypt provides free SSL/TLS certificates. Certbot automates the process of obtaining and renewing certificates for Nginx and Apache.

Prerequisites

• A domain pointing to your VPS IP (A record configured)
• Nginx or Apache installed and serving your site
• Ports 80 and 443 open in the firewall

Step 1 — Install Certbot

For Nginx:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

For Apache:

sudo apt install certbot python3-certbot-apache -y

Step 2 — Obtain the certificate

For Nginx:

sudo certbot --nginx -d mydomain.com -d www.mydomain.com

For Apache:

sudo certbot --apache -d mydomain.com -d www.mydomain.com

Certbot will ask for your email and agreement to terms. It automatically configures your web server for HTTPS.

Step 3 — Verify auto-renewal

Certbot installs a timer that renews certificates automatically. Test it:

sudo certbot renew --dry-run

Step 4 — Check certificate status

sudo certbot certificates

Manual renewal (if needed)

sudo certbot renew

Force renewal

sudo certbot renew --force-renewal

Troubleshooting

• Domain not pointing to server: Verify DNS with dig mydomain.com
• Port 80 blocked: Certbot needs port 80 for HTTP challenge. Check sudo ufw status
• Rate limits: Let's Encrypt has rate limits (50 certificates per domain per week)

Security headers (recommended)

After enabling SSL, add security headers to your Nginx config:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;

Reload Nginx after changes:

sudo systemctl reload nginx