Free SSL Certificates with Let's Encrypt and Certbot

Secure your websites with free SSL/TLS certificates from Let's Encrypt using Certbot.

Why SSL/TLS Certificates?

SSL/TLS certificates provide:

• Encrypted connections (HTTPS)
• Improved SEO rankings
• User trust and security
• Required for modern web features
• Protection against man-in-the-middle attacks

Prerequisites

• Domain name pointing to your Linux server
• Web server (Apache or Nginx) installed
• Port 80 and 443 open in firewall
• Root or sudo access

Step 1: Install Certbot

For Ubuntu/Debian with Nginx:

sudo apt update
sudo apt install certbot python3-certbot-nginx

For Ubuntu/Debian with Apache:

sudo apt update
sudo apt install certbot python3-certbot-apache

Step 2: Obtain SSL Certificate

Nginx (Automatic Configuration):

sudo certbot --nginx -d example.com -d www.example.com

Apache (Automatic Configuration):

sudo certbot --apache -d example.com -d www.example.com

Manual (Webroot):

sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

Standalone (Stops Web Server):

sudo systemctl stop nginx
sudo certbot certonly --standalone -d example.com -d www.example.com
sudo systemctl start nginx

Step 3: Configure Auto-Renewal

Certbot automatically creates a renewal cron job. Test it:

sudo certbot renew --dry-run

Check renewal timer:

sudo systemctl status certbot.timer

Manual renewal (if needed):

sudo certbot renew

Step 4: Verify SSL Certificate

Test your SSL configuration:

curl -I https://example.com

Check certificate details:

sudo certbot certificates

Use SSL Labs for comprehensive testing:
https://www.ssllabs.com/ssltest/

Step 5: Nginx SSL Configuration

Certbot configures Nginx automatically, but here's what it adds:

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000" always;

    # ... rest of your configuration
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

Step 6: Multiple Domains

Get certificates for multiple domains:

sudo certbot --nginx -d example.com -d www.example.com -d api.example.com

Or separate certificates:

sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d api.example.com

Managing Certificates

List all certificates:

sudo certbot certificates

Revoke a certificate:

sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem

Delete a certificate:

sudo certbot delete --cert-name example.com

Troubleshooting

Port 80 blocked:

Ensure firewall allows HTTP:

sudo ufw allow 'Nginx Full'

DNS not pointing correctly:

Verify with:

dig example.com +short
nslookup example.com

Web server not running:

Check status:

sudo systemctl status nginx

Certificate renewal failed:

Check logs:

sudo journalctl -u certbot

Best Practices

1. Always use HTTPS redirect: Force all traffic to HTTPS
2. Enable HSTS: Prevent SSL stripping attacks
3. Monitor expiration: Check certificates regularly
4. Test renewals: Run dry-run tests monthly
5. Keep Certbot updated: sudo apt update && sudo apt upgrade certbot

Rate Limits

Let's Encrypt has rate limits:

• 50 certificates per domain per week
• 5 duplicate certificates per week
• 300 pending authorizations per account

Conclusion

Free SSL certificates from Let's Encrypt make HTTPS accessible to everyone. Certbot automates the entire process including renewals.

Next Steps

• Setting Up Nginx as a Reverse Proxy
• How to Secure Your Linux server with SSH Keys