Software & Configuration

SSL with Certbot (Let's Encrypt)

How to install a free SSL certificate with Certbot on your server

Let's Encrypt is a free certificate authority that lets you add HTTPS to your site in minutes via Certbot.

Prerequisites

  • Domain that correctly points to the server IP
  • Ports 80 and 443 open in the firewall
  • Web server (Nginx or Apache) running

Certbot installation

Debian / Ubuntu

apt install certbot -y

# Plugin for Nginx
apt install python3-certbot-nginx -y

# Plugin for Apache
apt install python3-certbot-apache -y

CentOS / AlmaLinux

dnf install certbot -y
dnf install python3-certbot-nginx -y
dnf install python3-certbot-apache -y

Get the certificate

With Nginx (automatic)

certbot --nginx -d example.com -d www.example.com

Certbot will automatically modify the Nginx configuration to add HTTPS.

With Apache (automatic)

certbot --apache -d example.com -d www.example.com

Standalone (without web server)

# Stop the web server first
systemctl stop nginx

certbot certonly --standalone -d example.com -d www.example.com

# Restart the web server
systemctl start nginx

Automatic renewal

Let's Encrypt certificates last 90 days. Certbot automatically installs a timer for renewal. Verify it works:

# Check the timer
systemctl status certbot.timer

# Test renewal (doesn't actually renew, just simulates)
certbot renew --dry-run

Manual renewal

certbot renew

View installed certificates

certbot certificates

Certificate location

Certificates are saved in:

/etc/letsencrypt/live/example.com/
├── cert.pem         # Certificate
├── chain.pem        # Intermediate chain
├── fullchain.pem    # Certificate + chain
└── privkey.pem      # Private key

Manual Nginx HTTPS configuration

If you want to configure HTTPS manually without the plugin:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    root /var/www/example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # ... rest of the configuration
}

Common errors

ErrorSolution
Connection refused on port 80Check that firewall allows port 80
DNS not propagatedWait for DNS propagation before requesting certificate
Rate limit exceededLet's Encrypt has limits: max 5 certificates per domain every 7 days

Nginx as Load Balancer

Configure Nginx to distribute traffic between multiple backend servers. Algorithms, health checks and SSL termination.

HestiaCP: Control Panel

Install and configure HestiaCP on your VPS. Manage domains, email, databases and SSL from web interface.

On this page

PrerequisitesCertbot installationDebian / UbuntuCentOS / AlmaLinuxGet the certificateWith Nginx (automatic)With Apache (automatic)Standalone (without web server)Automatic renewalManual renewalView installed certificatesCertificate locationManual Nginx HTTPS configurationCommon errors