LochStudios  /  Help Centre  /  VPS & Linux  /  Get a Free SSL Certificate with Certbot (Let's Encrypt)

Get a Free SSL Certificate with Certbot (Let's Encrypt)

Install Certbot and automatically issue, install, and renew free SSL certificates from Let's Encrypt on your VPS.

Updated

Let's Encrypt provides free, automated SSL/TLS certificates via Certbot. This guide walks you through installing Certbot, obtaining a certificate for your domain, and setting up automatic renewal on Ubuntu/Debian.

Step 1: Install Certbot and the web server plugin

On Ubuntu/Debian:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

If you're using Apache instead:

sudo apt install certbot python3-certbot-apache -y

For RHEL/CentOS, use:

sudo dnf install certbot python3-certbot-nginx -y

Step 2: Ensure your domain points to your server

Before requesting a certificate, verify that your domain's DNS A record points to your server's IP address. You can check this with:

nslookup yourdomain.com

or

dig yourdomain.com

The returned IP should match your VPS IP. If it doesn't, update your DNS records at your domain registrar and wait for propagation (usually 5–30 minutes).

Step 3: Open port 80 and 443 in your firewall

Let's Encrypt uses port 80 (HTTP) and 443 (HTTPS) to validate your domain. Ensure both are open in your VPS firewall or security group:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

On AWS/cloud providers, check your Security Group or Firewall settings and allow inbound traffic on ports 80 and 443.

Step 4: Obtain and install your certificate

For Nginx:

sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com

For Apache:

sudo certbot certonly --apache -d yourdomain.com -d www.yourdomain.com

For other web servers (manual DNS validation):

sudo certbot certonly --manual -d yourdomain.com -d www.yourdomain.com

When prompted, provide your email address. Certbot will validate domain ownership, issue the certificate, and store it in /etc/letsencrypt/live/yourdomain.com/.

Step 5: Verify certificate installation

sudo certbot certificates

You'll see the certificate path, expiration date, and domains covered.

Step 6: Configure your web server to use the certificate

For Nginx, update your server block (e.g., /etc/nginx/sites-available/yourdomain.com):

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Rest of your config...
}

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Then test and reload:

sudo nginx -t
sudo systemctl reload nginx

For Apache, enable the SSL module and update your VirtualHost:

sudo a2enmod ssl

Edit your VirtualHost config (e.g., /etc/apache2/sites-available/yourdomain.com.conf):

<VirtualHost *:443>
    ServerName yourdomain.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
    # Rest of your config...
</VirtualHost>

<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect / https://yourdomain.com/
</VirtualHost>

Then test and reload:

sudo apache2ctl configtest
sudo systemctl reload apache2

Step 7: Set up automatic renewal

Let's Encrypt certificates expire after 90 days. Certbot includes a renewal service that checks daily:

sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Verify it's active:

sudo systemctl status certbot.timer

You can also test renewal manually (it won't actually renew unless needed):

sudo certbot renew --dry-run

Tips

  • Verify your certificate: Use openssl s_client -connect yourdomain.com:443 to inspect the certificate chain.
  • Multiple domains: Add -d domain2.com for each additional domain or subdomain.
  • Wildcard certificates: Use --preferred-challenges dns and manually update DNS TXT records as prompted.
  • Force renewal (if you need to): sudo certbot renew --force-renewal
  • Certificate location: All certificates are stored in /etc/letsencrypt/live/yourdomain.com/.

Was this article helpful?

← Back to VPS & Linux