Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SSL Setup

Overview

HTTPS encrypts traffic between clients and your server, protecting sensitive data from interception. Let’s Encrypt provides free SSL/TLS certificates that are trusted by all major browsers.

Certbot is a tool that automates the entire process: obtaining certificates, configuring nginx, and setting up automatic renewal.

Prerequisites

  • VPS setup completed (see VPS Setup)
  • nginx installed and configured (see nginx Setup)
  • Domain name pointed to your VPS IP address
  • nginx server block configured for your domain

Installation

Install Certbot and the nginx plugin:

sudo apt install -y certbot python3-certbot-nginx

The nginx plugin allows Certbot to automatically modify your nginx configuration to enable HTTPS.

Getting a Certificate

Single Domain

For a single domain:

sudo certbot --nginx -d <domain>

Certbot will:

  1. Verify you control the domain (via HTTP challenge)
  2. Obtain a certificate from Let’s Encrypt
  3. Automatically configure nginx for HTTPS
  4. Set up HTTP to HTTPS redirect

Multiple Domains

For multiple domains or subdomains in one certificate:

sudo certbot --nginx -d example.com -d www.example.com -d api.example.com

This creates a single certificate covering all specified domains.

Adding Subdomains Later

If you add a subdomain after initial setup:

sudo certbot --nginx -d new-subdomain.example.com

This creates a separate certificate for the new subdomain.

Certificate Renewal

Certificates expire after 90 days. Certbot installs a systemd timer that automatically renews certificates when they have 30 days or less remaining.

Test Renewal Process

Verify automatic renewal works:

sudo certbot renew --dry-run

This simulates renewal without actually renewing certificates. If successful, automatic renewal is configured correctly.

Manual Renewal

Force renewal of all certificates:

sudo certbot renew

Check Certificate Status

List all certificates with expiration dates:

sudo certbot certificates

Troubleshooting

Port 80 Must Be Open

Certbot uses HTTP (port 80) to verify domain ownership. Ensure UFW allows port 80:

sudo ufw allow 'Nginx Full'

Domain Must Point to VPS

The domain must resolve to your VPS IP address before running Certbot. Verify with:

dig +short <domain>

Certificate Renewal Failures

Check renewal logs if automatic renewal fails:

sudo journalctl -u certbot.timer
sudo tail -f /var/log/letsencrypt/letsencrypt.log

Common Commands

CommandDescription
sudo certbot --nginx -d <domain>Obtain and install certificate
sudo certbot certificatesList all certificates
sudo certbot renewManually renew all certificates
sudo certbot renew --dry-runTest renewal process
sudo certbot delete --cert-name <domain>Delete a certificate