Why Your VPS Needs an SSL Certificate
An SSL certificate encrypts communication between your website and its visitors. This protects sensitive information such as login credentials, contact form submissions, payment details, and customer data from interception.
Modern web browsers also display security warnings on websites that do not use HTTPS, which can negatively affect user trust and search engine rankings.
Fortunately, Let’s Encrypt provides free SSL certificates that can be installed on virtually any Linux VPS.
What Is Let’s Encrypt?
Let’s Encrypt is a free and automated Certificate Authority (CA) operated by the Internet Security Research Group (ISRG).
It allows website owners to obtain trusted SSL/TLS certificates without purchasing commercial certificates.
Benefits of Let’s Encrypt include:
WordPress Web Hosting
Starting From $3.99/Monthly
- Completely free
- Trusted by all major browsers
- Automated issuance and renewal
- Supports wildcard certificates
- Widely supported across Linux distributions
What Is Certbot?
Certbot is the official client used to communicate with Let’s Encrypt.
Certbot can:
- Request SSL certificates
- Verify domain ownership
- Configure web servers automatically
- Renew certificates automatically
Using Certbot significantly simplifies SSL management on a VPS.
Prerequisites
Before installing an SSL certificate, ensure the following requirements are met:
Domain Name
You must own a domain name or subdomain.
Examples:
Cheap VPS Server
Starting From $2.99/Monthly
example.com
www.example.com
server.example.com
DNS Configuration
The domain must point to your VPS using an A record or AAAA record.
Example:
example.com → 192.0.2.10
Verify DNS propagation:
dig example.com
or
nslookup example.com
Running Web Server
Your VPS should already have a web server installed:
- Apache
- Nginx
The website should be publicly accessible before certificate validation begins.
Windows VPS Hosting
Remote Access & Full Admin
Firewall Configuration
Allow HTTP and HTTPS traffic:
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
For Ubuntu systems using UFW:
ufw allow 80/tcp
ufw allow 443/tcp
ufw reload
Installing Certbot on Ubuntu and Debian
Apache
Update repositories:
apt update
Install Certbot:
apt install certbot python3-certbot-apache -y
Nginx
apt update
apt install certbot python3-certbot-nginx -y
Verify installation:
certbot --version
Installing Certbot on AlmaLinux, Rocky Linux, and RHEL
Enable EPEL Repository
dnf install epel-release -y
Apache
dnf install certbot python3-certbot-apache -y
Nginx
dnf install certbot python3-certbot-nginx -y
Verify installation:
certbot --version
Requesting an SSL Certificate
Apache Installation
Run:
certbot --apache
Nginx Installation
Run:
certbot --nginx
Certbot will prompt you for:
- Email address
- Terms of Service acceptance
- Domain selection
- HTTP to HTTPS redirection
Choose automatic redirection when prompted.
Example:
Redirect all HTTP traffic to HTTPS: Yes
Certbot will then verify ownership and install the certificate automatically.
Certificate Storage Locations
After successful installation, certificates are stored under:
/etc/letsencrypt/live/example.com/
Important files:
fullchain.pem
Contains:
- Server certificate
- Intermediate certificates
privkey.pem
Contains:
- Private key
Protect the private key and never share it publicly.
Manual Apache SSL Configuration
If automatic configuration fails, edit your Apache Virtual Host.
Example:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
Test configuration:
apachectl configtest
Restart Apache:
systemctl restart apache2
Or on AlmaLinux:
systemctl restart httpd
Manual Nginx SSL Configuration
Example Nginx Server Block:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/html;
}
Test configuration:
nginx -t
Restart Nginx:
systemctl restart nginx
Force HTTPS Redirection
Apache
Add to your Virtual Host:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Nginx
Add:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
This ensures all traffic uses encrypted HTTPS connections.
Testing Your SSL Certificate
Open your website:
https://example.com
Check for:
- Padlock icon
- No browser warnings
You can also inspect the certificate:
openssl s_client -connect example.com:443
Or use online SSL analyzers to verify:
- Certificate validity
- Supported protocols
- Security rating
Automatic Certificate Renewal
Let’s Encrypt certificates expire every 90 days.
Certbot automatically renews certificates before expiration.
Test renewal:
certbot renew --dry-run
Successful output indicates automatic renewal is working correctly.
Cron-Based Renewal
Create a cron task:
crontab -e
Add:
0 3 * * * certbot renew --quiet
This checks daily at 3:00 AM.
Systemd Timer
Many modern Linux distributions automatically install a Certbot timer.
Check status:
systemctl list-timers | grep certbot
Verify service:
systemctl status certbot.timer
Generating Wildcard Certificates
Wildcard certificates secure all subdomains.
Example:
*.example.com
Requires DNS validation:
certbot certonly \
--manual \
--preferred-challenges dns \
-d example.com \
-d '*.example.com'
Certbot will provide DNS TXT records that must be added before validation can complete.
Troubleshooting Common Problems
Domain Validation Failed
Verify DNS:
dig example.com
Ensure:
- Correct IP address
- Proper DNS propagation
Firewall Blocking Validation
Check open ports:
ss -tulpn | grep ':80'
Ensure ports 80 and 443 are reachable externally.
Web Server Configuration Errors
Apache:
apachectl configtest
Nginx:
nginx -t
Correct any configuration issues before retrying Certbot.
Certificate Renewal Failures
Review logs:
journalctl -u certbot
Or:
cat /var/log/letsencrypt/letsencrypt.log
Security Best Practices
After installing SSL:
- Force HTTPS redirects
- Disable weak SSL protocols
- Use modern TLS versions (TLS 1.2 and TLS 1.3)
- Enable HSTS headers
- Keep Certbot updated
- Monitor certificate expiration dates
These steps improve both security and browser compatibility.
Final Thoughts
Installing a Let’s Encrypt SSL certificate on a VPS is one of the most important security tasks for any website administrator. With Certbot, the entire process can be completed in just a few minutes, and automatic renewals ensure ongoing protection without manual intervention.
Whether you are running Apache, Nginx, WordPress, custom applications, or business websites, HTTPS should always be enabled. Let’s Encrypt provides a reliable, trusted, and completely free solution that secures communications, improves visitor trust, and helps meet modern security expectations.
