Let's Encrypt provides free, automated SSL/TLS certificates via Certbot. This guide walks you through installing Certbot, obtaining a certificate for your domain, and setting up automatic renewal on Ubuntu/Debian.
Step 1: Install Certbot and the web server plugin
On Ubuntu/Debian:
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
If you're using Apache instead:
sudo apt install certbot python3-certbot-apache -y
For RHEL/CentOS, use:
sudo dnf install certbot python3-certbot-nginx -y
Step 2: Ensure your domain points to your server
Before requesting a certificate, verify that your domain's DNS A record points to your server's IP address. You can check this with:
nslookup yourdomain.com
or
dig yourdomain.com
The returned IP should match your VPS IP. If it doesn't, update your DNS records at your domain registrar and wait for propagation (usually 5–30 minutes).
Step 3: Open port 80 and 443 in your firewall
Let's Encrypt uses port 80 (HTTP) and 443 (HTTPS) to validate your domain. Ensure both are open in your VPS firewall or security group:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
On AWS/cloud providers, check your Security Group or Firewall settings and allow inbound traffic on ports 80 and 443.
Step 4: Obtain and install your certificate
For Nginx:
sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com
For Apache:
sudo certbot certonly --apache -d yourdomain.com -d www.yourdomain.com
For other web servers (manual DNS validation):
sudo certbot certonly --manual -d yourdomain.com -d www.yourdomain.com
When prompted, provide your email address. Certbot will validate domain ownership, issue the certificate, and store it in /etc/letsencrypt/live/yourdomain.com/.
Step 5: Verify certificate installation
sudo certbot certificates
You'll see the certificate path, expiration date, and domains covered.
Step 6: Configure your web server to use the certificate
For Nginx, update your server block (e.g., /etc/nginx/sites-available/yourdomain.com):
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Rest of your config...
}
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
Then test and reload:
sudo nginx -t
sudo systemctl reload nginx
For Apache, enable the SSL module and update your VirtualHost:
sudo a2enmod ssl
Edit your VirtualHost config (e.g., /etc/apache2/sites-available/yourdomain.com.conf):
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
# Rest of your config...
</VirtualHost>
<VirtualHost *:80>
ServerName yourdomain.com
Redirect / https://yourdomain.com/
</VirtualHost>
Then test and reload:
sudo apache2ctl configtest
sudo systemctl reload apache2
Step 7: Set up automatic renewal
Let's Encrypt certificates expire after 90 days. Certbot includes a renewal service that checks daily:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
Verify it's active:
sudo systemctl status certbot.timer
You can also test renewal manually (it won't actually renew unless needed):
sudo certbot renew --dry-run
Tips
- Verify your certificate: Use
openssl s_client -connect yourdomain.com:443to inspect the certificate chain. - Multiple domains: Add
-d domain2.comfor each additional domain or subdomain. - Wildcard certificates: Use
--preferred-challenges dnsand manually update DNS TXT records as prompted. - Force renewal (if you need to):
sudo certbot renew --force-renewal - Certificate location: All certificates are stored in
/etc/letsencrypt/live/yourdomain.com/.