SSL certificates encrypt traffic between your server and visitors' browsers. Let's Encrypt provides free, trusted certificates that auto-renew. This guide covers installation on Ubuntu with NGINX or Apache.
Prerequisites
- A domain name pointed to your server's IP address
- Root or sudo access to your server
- Port 80 and 443 open in your firewall
- Web server (NGINX or Apache) installed and running
Step 1: Install Certbot
Certbot is the official Let's Encrypt client that automates certificate management.
sudo apt update
sudo apt install certbot python3-certbot-nginxFor Apache, use:
sudo apt install certbot python3-certbot-apacheStep 2: Obtain Certificate
The easiest method uses the web server plugin, which automatically configures SSL.
For NGINX:
sudo certbot --nginx -d example.com -d www.example.comFor Apache:
sudo certbot --apache -d example.com -d www.example.comReplace example.com with your domain. Certbot will:
- Verify domain ownership via HTTP challenge
- Request and install the certificate
- Modify your web server config for HTTPS
- Set up automatic redirection from HTTP to HTTPS (optional)
Step 3: Test HTTPS
Visit your site with https:// prefix. You should see the padlock icon in your browser.
Test your SSL configuration at SSL Labs. Aim for an A or A+ rating.
Step 4: Enable Auto-Renewal
Let's Encrypt certificates expire after 90 days. Certbot sets up automatic renewal via systemd timer.
Verify auto-renewal is active:
sudo systemctl status certbot.timerTest the renewal process (dry run):
sudo certbot renew --dry-runCertbot renews certificates 30 days before expiration. If renewal fails, you'll have time to fix it before the certificate expires.
Advanced: Wildcard Certificates
Wildcard certificates cover all subdomains (*.example.com). They require DNS validation instead of HTTP.
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.comYou'll be prompted to create a TXT record in your DNS. This method doesn't auto-renew easily — consider using a DNS plugin for your provider.
Troubleshooting
Port 80 Blocked
Let's Encrypt needs port 80 for the HTTP challenge. If you're behind a firewall:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpDomain Not Resolving
Ensure your domain's DNS A record points to your server's IP:
dig example.com +shortCertificate Not Trusted
Some older systems don't trust Let's Encrypt's root certificate. This is rare now. If affected, consider using a commercial certificate.
Rate Limits
Let's Encrypt has rate limits: 50 certificates per registered domain per week. Don't repeatedly request certificates during testing — use --test-cert for staging.
Next Steps
- Configure reverse proxy for your applications
- Set up server security best practices
- Enable HTTP/2 for better performance