How to Add a Let’s Encrypt SSL on VPS

Why Your VPS Needs an SSL Certificate

An SSL certificate encrypts communication between your website and its visitors. This protects sensitive information such as login credentials, contact form submissions, betalingsgegevens, and customer data from interception.

Modern web browsers also display security warnings on websites that do not use HTTPS, which can negatively affect user trust and search engine rankings.

Gelukkig, Let’s Encrypt provides free SSL certificates that can be installed on virtually any Linux VPS.

What Is Let’s Encrypt?

Let’s Encrypt is a free and automated Certificate Authority (CA) operated by the Internet Security Research Group (ISRG).

It allows website owners to obtain trusted SSL/TLS certificates without purchasing commercial certificates.

Benefits of Let’s Encrypt include:

WordPress-webhosting

Vanaf $ 3,99/maandelijks

Koop nu

• Completely free
• Trusted by all major browsers
• Automated issuance and renewal
• Supports wildcard certificates
• Widely supported across Linux distributions

What Is Certbot?

Certbot is the official client used to communicate with Let’s Encrypt.

Certbot can:

• Request SSL certificates
• Verify domain ownership
• Configure web servers automatically
• Renew certificates automatically

Using Certbot significantly simplifies SSL management on a VPS.

Vereisten

Before installing an SSL certificate, ensure the following requirements are met:

Domeinnaam

You must own a domain name or subdomain.

Examples:

Goedkope VPS-server

Vanaf $ 2,99/maandelijks

Koop nu

example.com

www.example.com

server.example.com

DNS-configuratie

The domain must point to your VPS using an A record or AAAA record.

Voorbeeld:

example.com → 192.0.2.10

Verify DNS propagation:

dig example.com

of

nslookup example.com

Running Web Server

Your VPS should already have a web server installed:

• Apache
• Nginx

The website should be publicly accessible before certificate validation begins.

Windows VPS-hosting

Remote Access & Full Admin

Koop nu

Firewall Configuration

Allow HTTP and HTTPS traffic:

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

For Ubuntu systems using UFW:

ufw allow 80/tcp
ufw allow 443/tcp
ufw reload

Installing Certbot on Ubuntu and Debian

Apache

Update repositories:

apt update

Install Certbot:

apt install certbot python3-certbot-apache -y

Nginx

apt update
apt install certbot python3-certbot-nginx -y

Verify installation:

certbot --version

Installing Certbot on AlmaLinux, Rotsachtige Linux, and RHEL

Enable EPEL Repository

dnf install epel-release -y

Apache

dnf install certbot python3-certbot-apache -y

Nginx

dnf install certbot python3-certbot-nginx -y

Verify installation:

certbot --version

Requesting an SSL Certificate

Apache Installation

Loop:

certbot --apache

Nginx Installation

Loop:

certbot --nginx

Certbot will prompt you for:

• Email address
• Terms of Service acceptance
• Domain selection
• HTTP to HTTPS redirection

Choose automatic redirection when prompted.

Voorbeeld:

Redirect all HTTP traffic to HTTPS: Yes

Certbot will then verify ownership and install the certificate automatically.

Certificate Storage Locations

After successful installation, certificates are stored under:

/etc/letsencrypt/live/example.com/

Important files:

fullchain.pem

Contains:

• Server certificate
• Intermediate certificates

privkey.pem

Contains:

• Private key

Protect the private key and never share it publicly.

Manual Apache SSL Configuration

If automatic configuration fails, edit your Apache Virtual Host.

Voorbeeld:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Test configuration:

apachectl configtest

Start Apache opnieuw:

systemctl restart apache2

Or on AlmaLinux:

systemctl restart httpd

Manual Nginx SSL Configuration

Example Nginx Server Block:

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    root /var/www/html;
}

Test configuration:

nginx -t

Restart Nginx:

systemctl restart nginx

Force HTTPS Redirection

Apache

Add to your Virtual Host:

<VirtualHost *:80>
    ServerName example.com

    Redirect permanent / https://example.com/
</VirtualHost>

Nginx

Toevoegen:

server {
    listen 80;
    server_name example.com www.example.com;

    return 301 https://$host$request_uri;
}

This ensures all traffic uses encrypted HTTPS connections.

Testing Your SSL Certificate

Open your website:

https://example.com

Check for:

• Padlock icon
• No browser warnings

You can also inspect the certificate:

openssl s_client -connect example.com:443

Or use online SSL analyzers to verify:

• Certificate validity
• Supported protocols
• Security rating

Automatic Certificate Renewal

Let’s Encrypt certificates expire every 90 dagen.

Certbot automatically renews certificates before expiration.

Test renewal:

certbot renew --dry-run

Successful output indicates automatic renewal is working correctly.

Cron-Based Renewal

Create a cron task:

crontab -e

Toevoegen:

0 3 * * * certbot renew --quiet

This checks daily at 3:00 BEN.

Systemd Timer

Many modern Linux distributions automatically install a Certbot timer.

Check status:

systemctl list-timers | grep certbot

Verify service:

systemctl status certbot.timer

Generating Wildcard Certificates

Wildcard certificates secure all subdomains.

Voorbeeld:

*.example.com

Requires DNS validation:

certbot certonly \
--manual \
--preferred-challenges dns \
-d example.com \
-d '*.example.com'

Certbot will provide DNS TXT records that must be added before validation can complete.

Troubleshooting Common Problems

Domain Validation Failed

Verify DNS:

dig example.com

Ensure:

• Correct IP address
• Proper DNS propagation

Firewall Blocking Validation

Check open ports:

ss -tulpn | grep ':80'

Ensure ports 80 En 443 are reachable externally.

Web Server Configuration Errors

Apache:

apachectl configtest

Nginx:

nginx -t

Correct any configuration issues before retrying Certbot.

Certificate Renewal Failures

Review logs:

journalctl -u certbot

Of:

cat /var/log/letsencrypt/letsencrypt.log

Beste praktijken op het gebied van beveiliging

After installing SSL:

• Force HTTPS redirects
• Disable weak SSL protocols
• Use modern TLS versions (TLS 1.2 and TLS 1.3)
• Enable HSTS headers
• Keep Certbot updated
• Monitor certificate expiration dates

These steps improve both security and browser compatibility.

Laatste gedachten

Installing a Let’s Encrypt SSL certificate on a VPS is one of the most important security tasks for any website administrator. With Certbot, the entire process can be completed in just a few minutes, and automatic renewals ensure ongoing protection without manual intervention.

Whether you are running Apache, Nginx, WordPress, custom applications, or business websites, HTTPS should always be enabled. Let’s Encrypt provides a reliable, trusted, and completely free solution that secures communications, improves visitor trust, and helps meet modern security expectations.