Free SSL with Let's Encrypt: Certbot, Auto-Renewal and Wildcard Certs

Since 2015 Let's Encrypt has been the free certificate authority driving the web's move to HTTPS. Today at least 85% of new websites use a Let's Encrypt certificate. This guide covers Certbot setup from scratch, auto-renewal, wildcard certificates and the most common failure modes.

Installing Certbot

Related guides: What is DNS, settings · Domain names & WHOIS lookup · Hosting types guide · Nginx configuration · Plesk panel guide

# Ubuntu / Debian
sudo apt update && sudo apt install certbot python3-certbot-nginx

# Alternative: snap (latest version)
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Standard HTTP-01 Challenge

This is the most common method. Let's Encrypt reaches your domain and reads a special file to prove you control it. Port 80 must be open and the domain must already point to your server.

# Automatic install for Nginx
sudo certbot --nginx -d example.com -d www.example.com -m admin@example.com --agree-tos --no-eff-email

# For Apache
sudo certbot --apache -d example.com -d www.example.com

# Certificate only, configure the server manually
sudo certbot certonly --webroot -w /var/www/html -d example.com

Wildcard Certificates (DNS-01 Challenge)

A wildcard certificate that covers all subdomains (*.example.com) cannot use the HTTP challenge. You prove ownership instead by creating a TXT record at your DNS provider.

sudo certbot certonly --manual --preferred-challenges dns \
  -d example.com -d '*.example.com' \
  -m admin@example.com --agree-tos

# Certbot prints a TXT value for _acme-challenge.example.com
# Add it to DNS and verify with 'dig _acme-challenge.example.com TXT'
# Then press Enter

Automatic Renewal

Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer or cron that handles renewal automatically. Renewal starts 60 days early and retries twice a day on failure.

# Verify the timer
systemctl list-timers | grep certbot

# Dry run
sudo certbot renew --dry-run

# Hook to reload Nginx after each renewal
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
echo '#!/bin/bash
systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Nginx SSL Configuration

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Common Issues

• Rate limit — 50 certificates per week; use the --staging flag for testing
• Port 80 closed — the HTTP challenge fails; check the firewall
• DNS not propagated — lower TTL and wait 5-10 minutes
• Wrong CAA record — verify with dig example.com CAA; letsencrypt.org must be allowed

Modern Web Hosting and Server Infrastructure

A performant web hosting service rests on three infrastructure decisions: NVMe SSD disks (4-6× IOPS over SATA SSD), LiteSpeed Web Server or Nginx + LSCache (9× request capacity over Apache) and CloudLinux + Imunify360 isolation. The hosting provider's control panel (cPanel, Plesk, DirectAdmin), daily backup policy, data center location and support response time make a big difference too. Turkish locations give low latency to local visitors, while Hetzner Frankfurt or OVH Roubaix suit global traffic. As your site grows, transitioning from shared hosting to VPS to dedicated server scales CPU/RAM/disk to your needs.

Conclusion

A free, auto-renewing, browser-trusted SSL certificate from Let's Encrypt takes roughly five minutes to set up. If you need help with multi-domain management, wildcard certificates or an SSL Labs A+ configuration, KEYDAL can handle it for you.