How do you set up a secure web server using Let's Encrypt SSL certificates?

Securing your website is crucial in today's digital landscape. Users expect safe browsing experiences, and search engines prioritize secure sites. Implementing SSL certificates is an essential step in protecting your web traffic. Let's Encrypt provides a simple and free solution for obtaining SSL certificates. In this guide, we will explore how to set up a secure web server using Let's Encrypt SSL certificates through Certbot.

What is Let's Encrypt and Why Use It?

Let's Encrypt is a free, automated, and open certificate authority (CA) that offers SSL certificates. These certificates enable HTTPS (SSL/TLS) for websites, ensuring encrypted communication between your web server and visitors. With the increasing need for online security, Let's Encrypt offers an accessible means of protecting your site.

Benefits of Using Let's Encrypt

Using Let's Encrypt comes with several advantages:

  • Cost-Effective: Completely free certificates.
  • Ease of Use: Automated tools like Certbot simplify the process.
  • Security: Robust encryption standards.
  • Trust: Recognized and trusted by browsers.

In this article, we will focus on setting up SSL certificates on an Ubuntu server with either Nginx or Apache using Certbot.

Prerequisites Before Installation

Before diving into the installation, ensure you have the following:

  • Ubuntu Server: This guide focuses on Ubuntu, but Certbot supports many operating systems.
  • Domain Name: A fully qualified domain name (FQDN).
  • Web Server: Nginx or Apache installed.
  • Sudo Privileges: Administrative access to install and configure software.

Preparing Your Environment

  1. Update Your System: Ensure your package list and installed packages are up-to-date.
    sudo apt update && sudo apt upgrade -y
  2. Install Necessary Software: Install software-properties-common to manage repositories.
    sudo apt install software-properties-common

With the prerequisites in place, we can move on to installing Certbot and obtaining SSL certificates.

Installing Certbot and Obtaining SSL Certificates

Certbot simplifies the process of obtaining and managing SSL certificates. Here’s how to get started.

Installing Certbot

  1. Add Certbot Repository:
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt update
  2. Install Certbot:
    sudo apt install certbot

Obtaining SSL Certificates

To obtain an SSL certificate, you need to verify domain ownership. Certbot provides different ways to do this, but we will focus on the most common methods for Nginx and Apache.

Using Certbot with Nginx

  1. Install Certbot Nginx Plugin:
    sudo apt install python3-certbot-nginx
  2. Obtain and Configure Certificate:
    sudo certbot --nginx -d -d

Certbot will automatically edit your Nginx configuration file to include the necessary SSL directives. It will prompt you to enter an email address and agree to the terms of service. Once done, Certbot will handle the certificate generation and installation.

Using Certbot with Apache

  1. Install Certbot Apache Plugin:
    sudo apt install python3-certbot-apache
  2. Obtain and Configure Certificate:
    sudo certbot --apache -d -d

Certbot will modify your Apache configuration to integrate the SSL certificate seamlessly. Follow the prompts to complete the process.

Verifying Installation

After obtaining and installing the certificates, verify that the SSL is working:

  1. Check Nginx Configuration:
    sudo nginx -t
    sudo systemctl reload nginx
  2. Check Apache Configuration:
    sudo apache2ctl configtest
    sudo systemctl reload apache2

Visit your domain in a browser to ensure that it is served over HTTPS.

Configuring Auto Renewal

SSL certificates from Let's Encrypt are valid for 90 days. To avoid downtime, it's crucial to automate the renewal process.

Setting Up Auto Renewal

Certbot includes a built-in functionality for automatic renewal. It uses a cron job or systemd timer to check and renew certificates before they expire.

  1. Create a Cron Job:
    echo "0 3 * * * /usr/bin/certbot renew --quiet" | sudo tee -a /etc/crontab > /dev/null
  2. Using Systemd Timer:
    sudo systemctl enable certbot.timer
    sudo systemctl start certbot.timer

These configurations ensure that Certbot will check for certificate renewals regularly and renew them if necessary.

Testing Auto Renewal

To ensure that auto-renewal is functioning correctly, simulate a renewal:

sudo certbot renew --dry-run

If the test is successful, your certificates will renew automatically without further intervention.

Enhancing Security and Performance

With SSL in place, consider additional configurations to enhance security and performance.

HTTP to HTTPS Redirection

Redirect all HTTP traffic to HTTPS to ensure secure connections.


Add the following to your server block:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;


Add the following to your virtual host configuration:

<VirtualHost *:80>
    Redirect permanent /

Security Enhancements

  1. Disable Weak Ciphers:

    Configure your server to use strong ciphers only.

    ssl_ciphers 'HIGH:!aNULL:!MD5';
    SSLCipherSuite HIGH:!aNULL:!MD5
  2. HTTP Strict Transport Security (HSTS):

    Enforce the use of HTTPS:

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

By implementing these enhancements, you will provide a more secure and reliable browsing experience for your users.

Setting up a secure web server using Let's Encrypt SSL certificates is a straightforward process with significant benefits. By leveraging Certbot, you can easily obtain and manage SSL certificates for your domain, ensuring encryption and trustworthiness for your website. This guide has walked you through installing and configuring Certbot on an Ubuntu server with Nginx or Apache, verifying the setup, automating renewals, and enhancing security. By following these steps, you will protect your web traffic and meet modern security standards, contributing to a safer internet for all.

Secure your web server today and join the movement towards a more secure and encrypted web.