Find us on social media
Install SSL certificates with Let's Encrypt
Obtain and install free SSL certificates with Certbot for your domain on a VPS.
Overview
Let's Encrypt provides free, automated SSL/TLS certificates. Certbot is the official client that handles certificate issuance and renewal.
Prerequisites
- VPS with a domain pointing to it (A record configured)
- Nginx or Apache installed
- Ports 80 and 443 open in your firewall
Step 1: Install Certbot
For Nginx
sudo apt update
sudo apt install -y certbot python3-certbot-nginxFor Apache
sudo apt update
sudo apt install -y certbot python3-certbot-apacheStep 2: Obtain certificate
Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comApache
sudo certbot --apache -d yourdomain.com -d www.yourdomain.comCertbot will:
- Verify domain ownership via HTTP challenge
- Obtain the certificate
- Automatically configure your web server
- Set up HTTPS redirect (if you choose yes)
Step 3: Verify the installation
# Check certificate details
sudo certbot certificates
# Test HTTPS
curl -I https://yourdomain.comVisit your site in a browser and verify the padlock icon appears.
Step 4: Auto-renewal
Certbot installs a systemd timer for automatic renewal:
# Check the timer is active
sudo systemctl status certbot.timer
# Test renewal (dry run)
sudo certbot renew --dry-runCertificates are valid for 90 days. Certbot renews them automatically when they have less than 30 days remaining.
Nginx manual configuration
If Certbot doesn't auto-configure, here's a manual Nginx SSL setup:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL security settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
root /var/www/yourdomain.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}Test and reload:
sudo nginx -t
sudo systemctl reload nginxWildcard certificates
For wildcard certificates (*.yourdomain.com), you need DNS validation:
sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d yourdomain.comCertbot will ask you to create a TXT record:
- Add the TXT record at your DNS provider
- Wait for propagation (verify with
dig TXT _acme-challenge.yourdomain.com) - Press Enter to continue
Automate wildcard renewal with DNS plugin
For Cloudflare:
sudo apt install -y python3-certbot-dns-cloudflare
# Create credentials file
sudo nano /etc/letsencrypt/cloudflare.inidns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKENsudo chmod 600 /etc/letsencrypt/cloudflare.ini
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d "*.yourdomain.com" -d yourdomain.comTroubleshooting
- Challenge failed: Ensure port 80 is open and domain points to your server
- Rate limited: Let's Encrypt has rate limits (50 certs/domain/week). Use staging for testing:
```bash
sudo certbot --staging --nginx -d yourdomain.com
```
- Renewal failed: Check
sudo certbot renew --dry-runfor errors - Mixed content: Ensure all resources (images, scripts) use HTTPS URLs
Post-install security headers
Add these headers to your Nginx config for an A+ SSL rating:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' https:" always;Test your SSL configuration at ssllabs.com/ssltest.