Free SSL Certificates with Let's Encrypt and Certbot
Step-by-step guide to installing and auto-renewing free SSL certificates for your websites using Certbot.
Free SSL Certificates with Let's Encrypt and Certbot
Secure your websites with free SSL/TLS certificates from Let's Encrypt using Certbot.
Why SSL/TLS Certificates?
SSL/TLS certificates provide:
- Encrypted connections (HTTPS)
- Improved SEO rankings
- User trust and security
- Required for modern web features
- Protection against man-in-the-middle attacks
Prerequisites
- Domain name pointing to your Linux server
- Web server (Apache or Nginx) installed
- Port 80 and 443 open in firewall
- Root or sudo access
Step 1: Install Certbot
For Ubuntu/Debian with Nginx:
sudo apt update
sudo apt install certbot python3-certbot-nginxFor Ubuntu/Debian with Apache:
sudo apt update
sudo apt install certbot python3-certbot-apacheStep 2: Obtain SSL Certificate
Nginx (Automatic Configuration):
sudo certbot --nginx -d example.com -d www.example.comApache (Automatic Configuration):
sudo certbot --apache -d example.com -d www.example.comManual (Webroot):
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.comStandalone (Stops Web Server):
sudo systemctl stop nginx
sudo certbot certonly --standalone -d example.com -d www.example.com
sudo systemctl start nginxStep 3: Configure Auto-Renewal
Certbot automatically creates a renewal cron job. Test it:
sudo certbot renew --dry-runCheck renewal timer:
sudo systemctl status certbot.timerManual renewal (if needed):
sudo certbot renewStep 4: Verify SSL Certificate
Test your SSL configuration:
curl -I https://example.comCheck certificate details:
sudo certbot certificatesUse SSL Labs for comprehensive testing:
https://www.ssllabs.com/ssltest/
Step 5: Nginx SSL Configuration
Certbot configures Nginx automatically, but here's what it adds:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
# ... rest of your configuration
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}Step 6: Multiple Domains
Get certificates for multiple domains:
sudo certbot --nginx -d example.com -d www.example.com -d api.example.comOr separate certificates:
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d api.example.comManaging Certificates
List all certificates:
sudo certbot certificatesRevoke a certificate:
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pemDelete a certificate:
sudo certbot delete --cert-name example.comTroubleshooting
Port 80 blocked:
Ensure firewall allows HTTP:sudo ufw allow 'Nginx Full'DNS not pointing correctly:
Verify with:dig example.com +short
nslookup example.comWeb server not running:
Check status:sudo systemctl status nginxCertificate renewal failed:
Check logs:sudo journalctl -u certbotBest Practices
1. Always use HTTPS redirect: Force all traffic to HTTPS
2. Enable HSTS: Prevent SSL stripping attacks
3. Monitor expiration: Check certificates regularly
4. Test renewals: Run dry-run tests monthly
5. Keep Certbot updated: sudo apt update && sudo apt upgrade certbot
Rate Limits
Let's Encrypt has rate limits:
- 50 certificates per domain per week
- 5 duplicate certificates per week
- 300 pending authorizations per account
Conclusion
Free SSL certificates from Let's Encrypt make HTTPS accessible to everyone. Certbot automates the entire process including renewals.
Next Steps
Ready to simplify your Linux server management?
Gumpbox makes server administration effortless with an intuitive interface designed for developers.
Get Started