🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Security & Hardening

SSL/TLS Certificate Setup on Linux: Let's Encrypt Complete Guide

Ethan Marshall | February 25, 2026 | 10 min read | 15 views
SSL/TLS Certificate Setup on Linux: Let's Encrypt Complete Guide

Securing your website with SSL/TLS certificates is no longer optional — it is a requirement. Search engines penalize HTTP sites, browsers display security warnings, and users expect the padlock icon. Let's Encrypt provides free, automated certificates that make HTTPS accessible to everyone.

What Is Let's Encrypt?

Let's Encrypt is a free, automated, and open Certificate Authority (CA) run by the Internet Security Research Group (ISRG). It provides domain-validated certificates at no cost with automated issuance and renewal.

Installing Certbot

Certbot is the recommended client for Let's Encrypt:

# Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx

# RHEL/CentOS/AlmaLinux
sudo dnf install certbot python3-certbot-nginx

# With snap (recommended by Certbot)
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Obtaining Certificates for Nginx

# Automatic configuration
sudo certbot --nginx -d example.com -d www.example.com

# Certificate only (manual configuration)
sudo certbot certonly --nginx -d example.com -d www.example.com

# Standalone mode (when no web server is running)
sudo certbot certonly --standalone -d example.com

Nginx SSL Configuration

After obtaining certificates, configure Nginx for optimal security:

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
}

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Apache SSL Configuration

sudo certbot --apache -d example.com -d www.example.com

Automatic Renewal

Let's Encrypt certificates expire after 90 days. Certbot sets up automatic renewal:

# Test renewal
sudo certbot renew --dry-run

# Check renewal timer
systemctl status certbot.timer

# Manual crontab entry (if needed)
0 0,12 * * * /usr/bin/certbot renew --quiet

Wildcard Certificates

For wildcard certificates, you need DNS validation:

sudo certbot certonly --manual --preferred-challenges dns \
    -d example.com -d *.example.com

Testing Your SSL Configuration

Verify your setup with these tools:

  • SSL Labs: ssllabs.com/ssltest — comprehensive SSL test
  • Mozilla Observatory: Tests HTTP security headers
  • openssl command: openssl s_client -connect example.com:443

Security Best Practices

  1. Only enable TLS 1.2 and TLS 1.3
  2. Implement HSTS with a long max-age
  3. Enable OCSP stapling for faster validation
  4. Monitor certificate expiration dates
  5. Use strong cipher suites
  6. Redirect all HTTP traffic to HTTPS

With Let's Encrypt and Certbot, there is no excuse for running an unencrypted website. Set up your certificates today and protect your users' data in transit.

Share this article:

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.