Tutorials

Setup Free SSL with Let's Encrypt on Nginx

Administrator
By Administrator
Published Sep 30, 2025
5 min read
Setup Free SSL with Let's Encrypt on Nginx

Why Bother with SSL Anyway?

Let's talk about HTTPS. You know that little padlock icon you see in your browser? That's SSL at work, and it's kinda important these days. Not only does it encrypt the data between your visitors and your server (keeping snoopers away), but Google also gives you a nice SEO boost for having it.

The best part? You don't need to spend hundreds of dollars on SSL certificates anymore. Let's Encrypt gives them away for free, and setting them up on Nginx is surprisingly straightforward once you know what you're doing.

So grab a coffee, and let's get your site secured with HTTPS!

What You'll Need Before We Start

Let's make sure you've got your ducks in a row first:

  • A server with Nginx installed (I'm assuming you already have this)
  • A domain name pointed to your server - SSL certificates need a real domain
  • SSH access to your server with sudo privileges
  • Ubuntu/Debian system (these commands work on most Debian-based systems)

Oh, and make sure your domain is actually pointing to your server's IP address. You can check this with a simple ping command or just by visiting your domain in a browser and seeing if your site shows up.

Step 1: Install Certbot

Certbot is the tool that makes getting Let's Encrypt certificates dead simple. It's basically a robot that does all the hard work for you.

First, let's update your system (always a good idea):

sudo apt update
sudo apt upgrade -y

Now install Certbot and the Nginx plugin:

sudo apt install certbot python3-certbot-nginx -y

That's it! Certbot is now ready to do its magic.

Step 2: Make Sure Your Nginx Config is Ready

Before we ask Certbot for a certificate, we need to make sure your Nginx configuration knows which domain it's serving. Open up your site's config file (it's probably in /etc/nginx/sites-available/):

sudo nano /etc/nginx/sites-available/your-site

Make sure you have a server_name line that matches your domain:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;

    root /var/www/yourdomain.com;
    index index.html;

    # ... rest of your config
}

Important: Replace yourdomain.com with your actual domain name. Both the main domain and the www version should be there.

Test your Nginx config to make sure you didn't break anything:

sudo nginx -t

If it says "syntax is ok" and "test is successful", you're good to go. If not, fix any errors before proceeding.

Step 3: Get Your SSL Certificate

Now for the exciting part! Let's get that certificate:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com with your actual domain. The -d flags tell Certbot which domains to include on the certificate.

Certbot will ask you a few questions:

  1. Email address: Enter your email (used for urgent renewal notices)
  2. Terms of Service: Press 'A' to agree
  3. Share email with EFF: Your choice - press 'N' if you don't want promotional emails
  4. Redirect HTTP to HTTPS: Press '2' to redirect all HTTP traffic to HTTPS

And that's it! Certbot will:

  • Verify you own the domain
  • Generate the SSL certificate
  • Update your Nginx config automatically
  • Set up automatic renewal

Step 4: Test Your HTTPS Setup

Fire up your browser and visit https://yourdomain.com. You should see that beautiful padlock icon!

Try both http:// and https:// versions of your site. The HTTP version should automatically redirect to HTTPS.

You can also use SSL Labs' SSL Test to get a detailed report of your certificate setup. Just go to ssllabs.com/ssltest and enter your domain.

Step 5: Verify Auto-Renewal

Let's Encrypt certificates only last for 90 days, but Certbot automatically set up a renewal job for you. Let's make sure it's working:

sudo systemctl status certbot.timer

You should see that the timer is active and will run twice daily. You can also test the renewal process (this won't actually renew anything unless it's close to expiring):

sudo certbot renew --dry-run

If that runs without errors, you're all set!

Troubleshooting Common Issues

"Domain Not Found" or "DNS Problem"

This usually means your domain isn't pointing to your server correctly. Double-check:

  • Your domain's A record points to your server IP
  • Wait a bit - DNS changes can take time to propagate
  • Use nslookup yourdomain.com to verify it resolves to your IP

"Connection Refused" or "Could Not Connect"

Certbot needs to be able to connect to your server on port 80. Make sure:

  • Your firewall allows HTTP traffic: sudo ufw allow 'Nginx Full'
  • Nginx is actually running: sudo systemctl status nginx
  • Nothing else is using port 80: sudo netstat -tulpn | grep :80

"Too Many Requests"

Let's Encrypt has rate limits. If you've tried to get certificates too many times, you'll have to wait an hour or so before trying again.

Renewal Failures

If your certificates aren't renewing automatically, check:

sudo journalctl -u certbot

Common culprits are usually firewall changes or Nginx config errors.

Pro Tips for Better SSL Setup

Use Stronger Security Settings

You can beef up your SSL security by adding this to your Nginx config:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Add these lines for better security
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    ssl_prefer_server_ciphers off;

    # ... rest of your config
}

Monitor Your Certificates

Set up a simple reminder to check your certificates every few months:

sudo certbot certificates

This shows you all your certificates and when they expire.

Backup Your Certificates

Just in case, back up your Let's Encrypt folder:

sudo cp -r /etc/letsencrypt ~/letsencrypt-backup

What About Subdomains?

If you want SSL on subdomains like blog.yourdomain.com, you have two options:

  • Separate certificates: Just run Certbot again with the subdomain
  • Wildcard certificate: More complex, but covers all subdomains

For most people, separate certificates are easier to manage.

Final Thoughts

And there you have it! Your site is now running on HTTPS with a free SSL certificate that renews automatically. Pretty sweet, right?

Remember, HTTPS isn't just about security anymore - it's about trust. Visitors feel safer, search engines rank you higher, and you're doing your part to make the web a more secure place.

Keep an eye on your certificates (though Certbot should handle most of the work automatically), and enjoy that green padlock icon! Your visitors will thank you for it.

Got questions or run into issues? Drop them in the comments below - I've probably run into the same problems myself and can help you troubleshoot!

Related Articles

How to Backup and Restore a Website on VPS Linux

How to Backup and Restore a Website on VPS Linux

Oct 03, 2025

How to Backup and Restore a Website on VPS Linux That moment when you realize your website is gon...

Setting Up Load Balancing with Nginx for High Traffic Sites

Setting Up Load Balancing with Nginx for High Traffic Sites

Oct 03, 2025

Setting Up Load Balancing with Nginx for High Traffic Sites Your website is growing. Traffic is i...

How to Monitor Server Resources with htop and netstat

How to Monitor Server Resources with htop and netstat

Oct 03, 2025

How to Monitor Server Resources with htop and netstat Ever wonder why your website suddenly slows...

Basic Firewall Configuration for Linux Web Servers

Basic Firewall Configuration for Linux Web Servers

Oct 03, 2025

Basic Firewall Configuration for Linux Web Servers Your web server is like a house in a busy neig...