Quick Summary: Let's Encrypt provides free, automated SSL/TLS certificates trusted by all major browsers. Using Certbot (the official client), you can secure your website with HTTPS in under 5 minutes. Certificates are valid for 90 days and auto-renew automatically. This guide covers setup for NGINX and Apache, wildcard certificates, and troubleshooting common issues.
Why HTTPS Is Mandatory in 2026
- Google Chrome marks HTTP sites as "Not Secure" since 2018
- HTTPS is a ranking factor for Google Search
- Modern web features (HTTP/2, service workers, geolocation) require HTTPS
- PCI DSS compliance requires encryption for any payment processing
- User trust: visitors abandon sites without the padlock icon
Installing Certbot
For NGINX
- Debian/Ubuntu:
sudo apt install certbot python3-certbot-nginx - RHEL/AlmaLinux:
sudo dnf install certbot python3-certbot-nginx
For Apache
- Debian/Ubuntu:
sudo apt install certbot python3-certbot-apache - RHEL/AlmaLinux:
sudo dnf install certbot python3-certbot-apache
Obtaining a Certificate (Step-by-Step)
- Ensure your domain's DNS A record points to your server
- Ensure your web server is running and accessible on port 80
- Run Certbot:
- NGINX:
sudo certbot --nginx -d example.com -d www.example.com - Apache:
sudo certbot --apache -d example.com -d www.example.com
- NGINX:
- Certbot automatically configures your web server for HTTPS
- Verify: visit
https://example.com— you should see the padlock
Certificate Types
| Type | Coverage | Command |
|---|---|---|
| Single domain | example.com only | certbot --nginx -d example.com |
| Multiple domains | example.com + www | certbot --nginx -d example.com -d www.example.com |
| Wildcard | *.example.com | certbot certonly --manual --preferred-challenges dns -d "*.example.com" |
| Standalone | No web server needed | certbot certonly --standalone -d example.com |
Auto-Renewal
Certbot sets up automatic renewal by default. Certificates renew when they have less than 30 days remaining:
- Test renewal:
sudo certbot renew --dry-run - Check timer:
systemctl list-timers | grep certbot - Manual renewal:
sudo certbot renew
SSL Configuration Best Practices
| Setting | Recommended Value | Purpose |
|---|---|---|
| TLS version | TLSv1.2 and TLSv1.3 only | Disable insecure older versions |
| HSTS header | max-age=31536000; includeSubDomains | Force HTTPS for 1 year |
| OCSP Stapling | Enabled | Faster certificate validation |
| HTTP to HTTPS redirect | 301 permanent redirect | No unencrypted access |
| Cipher suites | Modern only (AESGCM, CHACHA20) | Strong encryption only |
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| Challenge failed | Port 80 blocked by firewall | Open port 80: ufw allow 80 |
| DNS not propagated | A record not pointing to server | Wait for DNS propagation or verify with dig |
| Rate limit exceeded | Too many certificate requests | Wait 1 hour; use staging for testing |
| Mixed content warnings | HTTP resources on HTTPS page | Update all URLs to HTTPS or use // |
| Certificate expired | Auto-renewal failed | Check certbot renew and timer status |
Frequently Asked Questions
Are Let's Encrypt certificates as secure as paid ones?
Yes. Let's Encrypt certificates use the same encryption strength as paid certificates. The encryption (TLS) is identical. Paid certificates (EV, OV) offer visual indicators (company name in address bar) and warranty, but the actual encryption is the same.
Why do Let's Encrypt certificates expire every 90 days?
Short lifetimes encourage automation and reduce the damage from compromised certificates. With auto-renewal set up, the 90-day lifetime is transparent — Certbot handles everything automatically.
Can I use Let's Encrypt for wildcard certificates?
Yes. Wildcard certificates require DNS-01 challenge validation: you must add a TXT record to your DNS. Use certbot certonly --manual --preferred-challenges dns -d "*.example.com" or automate with DNS plugins.
