How to Secure Your Website with a Free SSL Certificate (Let’s Encrypt)

Chrome has stamped “Not Secure” next to your domain. Most visitors who see that turn around.

Fixing it takes about fifteen minutes and costs nothing. Here is how, on a Linux VPS running Apache or Nginx.

Check These Three Things First

Get these wrong and Certbot will fail with a message that sends you hunting in the wrong direction for an hour:

  • Your domain actually points to this server. Run dig yourdomain.com +short and confirm the IP it returns is your VPS
  • Ports 80 and 443 are open. If you haven’t set up a firewall yet, start with our guide on configuring a firewall on your Linux server
  • Your web server is actually running, not just installed

Certbot proves you own the domain by calling back into port 80 on your own server. If DNS hasn’t propagated or that port is closed, it has no way in, and the error it gives you is not especially helpful about why.

Install Certbot

Ubuntu or Debian:

sudo apt update
sudo apt install certbot python3-certbot-apache -y

Running Nginx? Swap python3-certbot-apache for python3-certbot-nginx.

CentOS, AlmaLinux, or Rocky Linux:

sudo dnf install epel-release -y
sudo dnf install certbot python3-certbot-apache -y

Get the Certificate

One command. Certbot edits your virtual host config and sets up the HTTP to HTTPS redirect for you:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

For Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

It asks for an email (that’s where expiry warnings go) and makes you accept the terms. That’s the whole process.

If you’d rather Certbot didn’t touch your web server config at all, use standalone mode. It needs port 80 free while it runs, which means briefly stopping your web server:

sudo certbot certonly --standalone -d yourdomain.com

Confirm It Worked

Load https://yourdomain.com and click the padlock. Or ask Certbot directly:

sudo certbot certificates

It lists the expiry date and every domain the certificate covers.

Auto-Renewal, and Why This Is the Part That Actually Matters

Let’s Encrypt certificates live for exactly 90 days. That short lifespan is deliberate. It forces everyone to automate renewal instead of writing a note in a calendar and forgetting about it.

Certbot installs a systemd timer when you install it. Check the timer is alive:

sudo systemctl status certbot.timer

On systems using cron instead, add this with crontab -e:

0 3 * * * /usr/bin/certbot renew --quiet

Then rehearse the renewal. This does everything a real renewal does, without issuing a new certificate:

sudo certbot renew --dry-run

Run that today, not in 89 days. Sites going dark at 3am because a certificate quietly expired is far more common than it should be, and it always happens when nobody is watching.

Covering Subdomains

Got blog.yourdomain.com and shop.yourdomain.com too? You don’t need a separate certificate for each one. Stack multiple -d flags in a single command, or request a wildcard certificate that covers *.yourdomain.com:

sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d "yourdomain.com"

Wildcards force you into a DNS-based challenge (adding a TXT record) rather than the simpler port 80 check. The reason is straightforward: Let’s Encrypt wants proof you control the entire DNS zone, not just one machine.

Four Failures You’ll Probably Hit

  • Certbot can’t connect: nearly always port 80 or 443. Check your OS firewall and your VPS provider’s firewall. They are two different things, and people forget the second one constantly
  • “Domain not pointing to this server”: your A record hasn’t propagated. Wait and retry. DNS can take up to 48 hours
  • Mixed content warnings after installing SSL: some images or stylesheets are still being pulled over http://. Update those URLs to https://
  • Rate limit errors: Let’s Encrypt caps how many certificates you can request per domain per week. This is precisely what --dry-run is for, since dry runs don’t count against your quota

Is a Paid Certificate Ever Worth It?

For the overwhelming majority of websites, no. Let me be blunt about why.

Let’s Encrypt issues Domain Validated (DV) certificates. They confirm you control the domain. The encryption they provide is identical to what a paid certificate gives you. The padlock looks the same.

Commercial CAs sell two tiers above that: OV, where they also verify your business registration, and EV, the most rigorous vetting available. EV used to display your company name in green in the address bar, which felt impressive. But browsers have almost universally removed that visual, which stripped EV of most of its practical value.

Pay for a certificate only if a compliance rule in your industry specifically demands that level of vetting, or if you need the warranty coverage a commercial CA bundles in. Otherwise you are buying a padlock you already have for free.

Do This Before You Close the Tab

Run sudo certbot renew --dry-run. If it passes, you are done and you won’t have to think about this again in three months. If it fails, fixing it right now is far less painful than fixing it the night your site suddenly goes dark.

Once HTTPS is handled, the next weakest point on most servers is somewhere else entirely. Our overview of web hosting security covers where to look next.