Setting Up Let's Encrypt SSL Certificates

Why SSL?

SSL/TLS encrypts traffic between your users and your server. Without it:

• Passwords and data are transmitted in plain text
• Browsers show "Not Secure" warnings
• Search engines penalize non-HTTPS sites
• Modern HTTP/2 features require HTTPS

Installation

sudo apt install -y certbot

For Nginx

sudo apt install -y python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

For Apache

sudo apt install -y python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

Standalone (No Web Server)

sudo certbot certonly --standalone -d example.com

Certificate Files

After issuance, certificates are stored at:

/etc/letsencrypt/live/example.com/
├── fullchain.pem   # Certificate + intermediate
├── privkey.pem     # Private key
├── cert.pem        # Certificate only
└── chain.pem       # Intermediate only

Auto-Renewal

Certbot installs a timer that checks twice daily:

# Verify timer is active
sudo systemctl status certbot.timer

# Test renewal (dry run)
sudo certbot renew --dry-run

Wildcard Certificates

sudo certbot certonly --manual --preferred-challenges dns \
  -d "*.example.com" -d "example.com"

You'll need to create a DNS TXT record for validation.

Nginx SSL Configuration

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

Tip 90-day certificates are a feature, not a limitation. Short lifetimes reduce the impact of key compromise, and auto-renewal means you never think about it.