Set Up Let's Encrypt SSL

Let's Encrypt provides free SSL/TLS certificates so you can serve your websites over HTTPS. This guide shows how to install Certbot and obtain certificates for Nginx or Apache on Ubuntu and Debian.

Requirements

A VPS running Ubuntu 20.04+ or Debian 11+
Nginx or Apache installed and serving your site on port 80
A domain name with DNS pointed at your server's IP address
Ports 80 and 443 open in your firewall

1. Connect to Your Server

ssh root@YOUR_SERVER_IP

Or use the web terminal in the Sitequest dashboard.

2. Install Certbot

The recommended method is via snap:

apt update
apt install -y snapd
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

3. Obtain a Certificate

For Nginx

certbot --nginx -d example.com -d www.example.com

Certbot will automatically:

Verify you own the domain (via an HTTP challenge on port 80)
Obtain the certificate from Let's Encrypt
Update your Nginx configuration to use HTTPS
Set up a redirect from HTTP to HTTPS

For Apache

certbot --apache -d example.com -d www.example.com

The process is the same — Certbot detects your Apache virtual hosts and configures SSL automatically.

4. Verify HTTPS

After Certbot finishes, visit https://example.com in your browser. You should see a valid certificate with no warnings.

You can also test from the command line:

curl -I https://example.com

Look for HTTP/2 200 and no certificate errors.

5. Automatic Renewal

Let's Encrypt certificates expire after 90 days. Certbot installs a systemd timer (or cron job) that renews them automatically. Verify the timer is active:

systemctl list-timers | grep certbot

Test the renewal process without making changes:

certbot renew --dry-run

If the dry run succeeds, your certificates will renew automatically before they expire.

6. Manual Certificate-Only Mode

If you want to obtain a certificate without modifying your web server configuration:

certbot certonly --webroot -w /var/www/html -d example.com

The certificate files are stored in /etc/letsencrypt/live/example.com/:

File	Purpose
`fullchain.pem`	Certificate + intermediate chain
`privkey.pem`	Private key
`cert.pem`	Certificate only
`chain.pem`	Intermediate chain only

Reference these in your Nginx or Apache config manually.

Nginx SSL Configuration

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Modern SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (optional, recommended)
    add_header Strict-Transport-Security "max-age=63072000" always;
}

7. Wildcard Certificates

To obtain a wildcard certificate (e.g., *.example.com), use the DNS challenge:

certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

Certbot will ask you to create a TXT DNS record. You can do this via the Sitequest DNS manager. After adding the record, wait a moment for propagation, then press Enter to continue.

Troubleshooting

"Challenge failed" error:

Ensure your domain's A record points to your server's IP
Verify port 80 is open and your web server is running
Check that no other service is blocking port 80

"Too many certificates" error:

Let's Encrypt has rate limits: 50 certificates per domain per week
Use --staging flag during testing to avoid hitting limits

Certificate not renewing:

Run certbot renew --dry-run to diagnose
Check the systemd timer: systemctl status snap.certbot.renew.timer

Next Steps

Install Nginx if you haven't already
Deploy WordPress with HTTPS enabled
Review our VPS security guide for additional hardening