What you'll build
Free SSL certificate from Let's Encrypt for your domain, with automatic renewal every 90 days.
Your site will go from http:// to https:// with the green padlock, improved SEO, and encrypted communication.
Step 1: Verify your domain points to VPS
# Should show your VPS IP
dig +short yourdomain.com
Step 2: Install Certbot
apt install certbot python3-certbot-nginx -y
Step 3: Get the certificate
# With Nginx (recommended)
certbot --nginx -d yourdomain.com -d www.yourdomain.com
# It will ask:
# - Email (for expiration notices)
# - Accept terms
# - Redirect HTTP to HTTPS (choose 2 = Yes)
Step 4: Verify
# See installed certificates
certbot certificates
# Test renewal
certbot renew --dry-run
Step 5: Configure automatic renewal
Certbot already configures a cron/timer. Verify:
# See systemd timer
systemctl status certbot.timer
# Or see cron
cat /etc/cron.d/certbot
Verify in browser
- Open https://yourdomain.com
- You should see the green padlock
- Click padlock โ "Connection is secure"
Resulting Nginx configuration
Certbot modifies your config:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# your config...
}
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
Add more domains
certbot --nginx -d newdomain.com -d www.newdomain.com
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
| Challenge failed | Port 80 blocked | ufw allow 80 |
| Domain not pointing | DNS not propagated | Wait 5-30 min |
| Too many requests | Rate limit | Wait 1 hour |
Security test
Verify your SSL config:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com
Goal: A or A+