For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Configure Let’s Encrypt on Linux Server (Guide 2026)

Mamta Goswami 7 min read

To configure Let’s Encrypt on a Linux server in 2026, install Certbot, open ports 80/443, and run a one-command installer for Apache or Nginx to fetch and apply a free SSL certificate. Verify HTTPS, enable auto‑renewal, and harden TLS settings. This guide covers step‑by‑step commands, wildcard SSL, and troubleshooting.

Securing your website with HTTPS is non‑negotiable. In this step‑by‑step guide, you’ll learn how to configure Let’s Encrypt on Linux server using Certbot—the recommended ACME client—as of 2026. We’ll cover Apache, Nginx, wildcard SSL, auto‑renewal, firewall rules, security hardening, and real‑world troubleshooting learned from 12+ years managing production servers.

What You Need Before You Start (Quick Checklist)

Make sure the basics are in place so certificate issuance doesn’t fail mid‑way.

  • Root or sudo access to a Linux server (Ubuntu/Debian, AlmaLinux/Rocky/RHEL, or similar).
  • A registered domain pointing to your server’s public IP (A/AAAA records propagated).
  • Ports 80 (HTTP) and 443 (HTTPS) open in your firewall, security groups, and provider panel.
  • Web server installed (Apache or Nginx). For standalone issuance, a web server isn’t required during issuance.
  • Optional: Control of DNS provider for DNS‑01 challenges (wildcard certificates).

Let’s Encrypt recommends Certbot with Snap for most distributions. It keeps Certbot updated independent of the OS package manager.

Ubuntu/Debian (via Snap)

sudo apt update
sudo apt install -y snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot  # convenience symlink

RHEL, Rocky, AlmaLinux (via Snap)

sudo dnf install -y epel-release
sudo dnf install -y snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Verify Certbot

certbot --version

If Snap is not an option, use your distro package or Docker image for Certbot, but expect slower updates.

Open Firewall Ports 80 and 443

UFW (Ubuntu/Debian)

sudo ufw allow "Nginx Full"   # or "Apache Full"
sudo ufw status

firewalld (RHEL/Rocky/AlmaLinux)

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Get and Install a Let’s Encrypt Certificate

Use Certbot’s web server plugins for a one‑command issuance and configuration. Replace example.com with your domain.

Nginx (HTTP‑01, automatic config)

sudo certbot --nginx -d example.com -d www.example.com

Certbot edits Nginx server blocks, adds SSL directives, reloads Nginx, and configures HTTP→HTTPS redirection when you choose that option.

Apache (HTTP‑01, automatic config)

sudo certbot --apache -d example.com -d www.example.com

Certbot updates your virtual host files, enables the SSL module if needed, and reloads Apache. Choose to redirect HTTP to HTTPS when prompted.

Webroot (no web server reloads, great for CI/CD)

# Ensure your webroot is correct; files must be publicly served at /.well-known/acme-challenge/
sudo certbot certonly --webroot -w /var/www/example \
  -d example.com -d www.example.com

Point webroot to the directory serving your domain. You’ll then add SSL directives manually to your web server’s config using the issued paths.

Standalone (no running web server during issuance)

# Stop your web server to free port 80/443 temporarily
sudo systemctl stop nginx  # or apache2/httpd
sudo certbot certonly --standalone -d example.com
sudo systemctl start nginx

Standalone is perfect for first‑time issuance on new hosts or automated scripts where the web server isn’t ready yet.

Wildcard and Multi‑Domain SSL (DNS‑01 Challenge)

Wildcard certificates (*.example.com) require DNS‑01. You can solve it manually by adding TXT records, or automate via DNS plugins (Cloudflare, Route 53, DigitalOcean, etc.).

Manual DNS (works with any DNS provider)

sudo certbot certonly --manual --preferred-challenges dns \
  -d example.com -d '*.example.com'

Certbot prompts you to create TXT records at _acme-challenge. Wait for DNS propagation before pressing Enter. Renewals require repeating this unless automated.

Automated DNS (Cloudflare example)

# Install the plugin (Snap auto-includes many; otherwise use pip)
# Example with Cloudflare:
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

# Create API credentials file with limited DNS edit scope:
echo "dns_cloudflare_api_token = <YOUR_TOKEN>" | sudo tee /root/.cloudflare.ini >/dev/null
sudo chmod 600 /root/.cloudflare.ini

# Issue wildcard:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini \
  -d example.com -d '*.example.com'

Use your provider’s corresponding Certbot DNS plugin. This enables fully automated renewals for wildcards.

Add/Confirm Web Server SSL Configuration

If you used the Nginx or Apache installer, most of this is done. For webroot/standalone, add these snippets with your domain and paths.

Nginx minimal secure snippet (TLS 1.2/1.3)

server {
  listen 443 ssl http2;
  server_name example.com www.example.com;

  ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_cache shared:SSL:10m;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  root /var/www/example;
  index index.html index.php;
}

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

Apache minimal secure snippet

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Protocols h2 http/1.1
</VirtualHost>

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  Redirect permanent / https://example.com/
</VirtualHost>

Reload your server after changes: sudo systemctl reload nginx or sudo systemctl reload apache2/httpd.

Auto‑Renewal and Health Checks

Snap installs a systemd timer for Certbot that checks twice daily and renews when 30 days remain. Confirm timers and dry‑run renewals.

# Confirm timer
systemctl list-timers | grep certbot

# Dry-run test
sudo certbot renew --dry-run

The web server is reloaded automatically by installer hooks. For custom setups, add a deploy hook:

sudo certbot renew --deploy-hook "systemctl reload nginx"

Monitor expiry via:

sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/cert.pem

Verification and Testing

  • Browser test: Visit https://example.com and check the padlock.
  • CLI test: curl -I https://example.com should return HTTP/2 200 with a valid certificate chain.
  • Deep test: Run your domain on SSL Labs Server Test for grade A or A+.

Troubleshooting Common Issues (2026)

  • Challenge failed (HTTP‑01): Ensure DNS A/AAAA points to this server. Confirm port 80 is open and not blocked by a proxy/WAF. Disable maintenance redirects for /.well-known/acme-challenge/.
  • IPv6 mismatch: Your AAAA record must point to the same server serving HTTP‑01. Otherwise, remove or correct it.
  • Cloudflare/CDN: For HTTP‑01, temporarily set DNS to “DNS only” (grey cloud) or use the DNS‑01 method instead.
  • Rate limits: Avoid repeated requests. Use the Let’s Encrypt staging endpoint (--dry-run or --test-cert) during testing.
  • File permissions: Private keys in /etc/letsencrypt/live/ should be root-owned. Don’t change to world‑readable.
  • Mixed content: Update site URLs, scripts, and images to HTTPS to prevent padlock warnings.

Best Practices for Production

  • Enforce HTTPS and enable HSTS after confirming all assets work over HTTPS.
  • Keep Certbot updated (Snap refreshes automatically). Review renewal logs in /var/log/letsencrypt/.
  • Use DNS‑01 for wildcards and autoscale environments behind load balancers.
  • Store infrastructure‑as‑code: version your Nginx/Apache configs and renewal hooks.
  • Back up /etc/letsencrypt/ and your web server config. Never expose private keys publicly.

When to Consider a Paid SSL Instead

Let’s Encrypt provides domain‑validated SSL, perfect for most websites and apps. Consider a paid OV/EV certificate if you need organization validation, private trust chains, or strict vendor requirements (some legacy environments, embedded/IoT, or compliance frameworks). If you host with YouStable, our team can help you choose the right SSL and deploy it end‑to‑end.

Why Host with YouStable

On YouStable’s Linux VPS and Dedicated Servers, Let’s Encrypt is seamless: one‑click provisioning on supported stacks, optimized firewalls, HTTP/2/3 enabled, and 24/7 experts to troubleshoot renewals, DNS‑01 automation, or reverse proxy edge cases. Focus on growth while we keep your SSL fast, secure, and up‑to‑date.

FAQs: Configure Let’s Encrypt on Linux (2026)

Is Let’s Encrypt really free and secure?

Yes. Let’s Encrypt is a free, automated, and open certificate authority trusted by all major browsers. It issues domain‑validated certificates using the ACME protocol with robust security controls. The certificates are as cryptographically strong as paid DV certificates.

How do I auto‑renew Let’s Encrypt certificates?

When installed via Snap, Certbot sets a systemd timer to renew twice daily and reload your web server. Verify with systemctl list-timers | grep certbot and test sudo certbot renew --dry-run. For custom setups, add a deploy hook to reload Nginx/Apache after renewal.

What’s the difference between HTTP‑01 and DNS‑01 challenges?

HTTP‑01 proves control by serving a token over HTTP at your domain—simple and automatic for single hosts. DNS‑01 proves control by adding a TXT record—required for wildcards, multi‑region, or when HTTP is blocked. DNS‑01 can be fully automated using provider plugins.

How do I get a wildcard SSL certificate?

Use the DNS‑01 challenge: certbot certonly --manual --preferred-challenges dns -d example.com -d '*.example.com', or automate with a DNS plugin (e.g., Cloudflare, Route 53). Point your DNS API token to Certbot and renewals run hands‑free.

Why does my HTTP‑01 challenge fail even though DNS looks correct?

Common causes include port 80 blocked by a firewall, AAAA (IPv6) pointing elsewhere, CDN proxies interfering, or rewrites redirecting ACME paths. Ensure /.well-known/acme-challenge/ is served without auth/redirects and that both A and AAAA records target your issuing server.

With these steps, you can confidently configure Let’s Encrypt on any Linux server and maintain strong, automated HTTPS in 2026 and beyond. If you’d like expert‑led setup and monitoring, YouStable’s engineers can handle it for you.

Mamta Goswami

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top