SSL/TLS Certificate Setup: The Complete HTTPS Guide for Linux Servers

In 2026, HTTPS is not optional — it's a hard requirement. Google penalizes HTTP sites in search rankings, browsers show scary "Not Secure" warnings, and users simply don't trust sites without the padlock icon. Yet many sysadmins still struggle with SSL/TLS setup.

This guide takes you from zero to a perfect A+ SSL rating on SSL Labs, covering both Nginx and Apache.

Step 1: Install Certbot (Let's Encrypt)

Let's Encrypt provides free, auto-renewing SSL certificates. It's the standard for 90% of web servers:

# Ubuntu/Debian
sudo apt install certbot python3-certbot-nginx

# AlmaLinux/RHEL
sudo dnf install certbot python3-certbot-nginx

# Request certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Step 2: Nginx SSL Configuration (A+ Rating)

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # Certificate files
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Your site configuration
    root /var/www/yourdomain.com/public;
    index index.php index.html;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

Step 3: Apache SSL Configuration

<VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/yourdomain.com/public

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem

    SSLProtocol -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Content-Type-Options "nosniff"
</VirtualHost>

Step 4: Auto-Renewal

# Test renewal
sudo certbot renew --dry-run

# Certbot auto-creates a systemd timer or cron job
# Verify it exists:
systemctl list-timers | grep certbot

# Or check cron:
cat /etc/cron.d/certbot

Step 5: Test Your SSL Rating

Visit SSL Labs and enter your domain. With the configuration above, you should get an A+ rating.

Common SSL Mistakes to Avoid

1. Mixed content — Loading HTTP resources on an HTTPS page. Check with browser dev tools.
2. Missing intermediate certificates — Always use fullchain.pem, not just cert.pem
3. Not redirecting HTTP → HTTPS — Both should be configured
4. Forgetting to renew — Let's Encrypt certificates expire after 90 days
5. Weak cipher suites — Never allow SSLv3 or TLS 1.0/1.1

Frequently Asked Questions

Is Let's Encrypt safe for production?

Absolutely. Let's Encrypt secures over 300 million websites. The certificates are identical in security to paid certificates — the encryption is the same. The only difference is validation level (DV vs OV/EV).

Should I use Nginx or Apache?

For new projects, Nginx is generally recommended — it's faster, uses less memory, and handles concurrent connections better. Apache is better if you need .htaccess support or specific Apache modules. Read our Nginx vs Apache comparison for a detailed breakdown.