Since 2015 Let's Encrypt has been the free certificate authority driving the web's move to HTTPS. Today at least 85% of new websites use a Let's Encrypt certificate. This guide covers Certbot setup from scratch, auto-renewal, wildcard certificates and the most common failure modes.
Installing Certbot
# Ubuntu / Debian
sudo apt update && sudo apt install certbot python3-certbot-nginx
# Alternative: snap (latest version)
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotStandard HTTP-01 Challenge
This is the most common method. Let's Encrypt reaches your domain and reads a special file to prove you control it. Port 80 must be open and the domain must already point to your server.
# Automatic install for Nginx
sudo certbot --nginx -d example.com -d www.example.com -m admin@example.com --agree-tos --no-eff-email
# For Apache
sudo certbot --apache -d example.com -d www.example.com
# Certificate only, configure the server manually
sudo certbot certonly --webroot -w /var/www/html -d example.comWildcard Certificates (DNS-01 Challenge)
A wildcard certificate that covers all subdomains (*.example.com) cannot use the HTTP challenge. You prove ownership instead by creating a TXT record at your DNS provider.
sudo certbot certonly --manual --preferred-challenges dns \
-d example.com -d '*.example.com' \
-m admin@example.com --agree-tos
# Certbot prints a TXT value for _acme-challenge.example.com
# Add it to DNS and verify with 'dig _acme-challenge.example.com TXT'
# Then press EnterAutomatic Renewal
Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer or cron that handles renewal automatically. Renewal starts 60 days early and retries twice a day on failure.
# Verify the timer
systemctl list-timers | grep certbot
# Dry run
sudo certbot renew --dry-run
# Hook to reload Nginx after each renewal
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
echo '#!/bin/bash
systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.shNginx SSL Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# HTTP to HTTPS redirect
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}Common Issues
- Rate limit — 50 certificates per week; use the
--stagingflag for testing - Port 80 closed — the HTTP challenge fails; check the firewall
- DNS not propagated — lower TTL and wait 5-10 minutes
- Wrong CAA record — verify with
dig example.com CAA;letsencrypt.orgmust be allowed
Conclusion
A free, auto-renewing, browser-trusted SSL certificate from Let's Encrypt takes roughly five minutes to set up. If you need help with multi-domain management, wildcard certificates or an SSL Labs A+ configuration, KEYDAL can handle it for you.
Multi-domain, wildcard or custom CA requirements Contact us