For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Use Let’s Encrypt on Linux Server in 2026? – Expert Guide

Sanjeet Chauhan 6 min read

To use Let’s Encrypt on a Linux server, install Certbot, point your domain to the server, open ports 80/443, then run the appropriate plugin (for example, certbot --nginx or certbot --apache) to obtain and install a free SSL/TLS certificate. Finally, verify automatic renewal so HTTPS stays active without manual work.

In this guide, you’ll learn how to use Let’s Encrypt on a Linux server end to end: installation, domain validation, issuing certificates for Nginx and Apache, wildcard SSL via DNS, auto-renewal, redirects, HSTS, and troubleshooting.

Whether you’re on Ubuntu, Debian, or RHEL based distros, this beginner-friendly tutorial will get you to HTTPS quickly and correctly.

What is Let’s Encrypt and Why Use it?

Let’s Encrypt is a free, automated certificate authority (CA) that issues trusted SSL/TLS certificates using the ACME protocol (RFC 8555). Certificates are domain-validated, renew automatically, and work in all modern browsers.

Benefits include no cost, industry-standard security, automation with Certbot, and better SEO and conversion rates thanks to the padlock and HTTPS.

Prerequisites

  • A Linux server (Ubuntu/Debian, Rocky/AlmaLinux, RHEL, etc.) with sudo/root access
  • A registered domain with DNS A/AAAA records pointing to your server’s public IP
  • Open firewall ports: 80 (HTTP) and 443 (HTTPS)
  • Installed web server: Nginx or Apache (or use standalone mode)
  • Shell access to run commands

Tip: If you host with YouStable, Let’s Encrypt SSL is included and pre-integrated on managed plans, so most of these steps are handled for you. For unmanaged VPS and dedicated servers, follow the steps below.

Certbot is the most popular ACME client. The Snap package is maintained upstream and receives timely updates.

Ubuntu/Debian

sudo apt update
sudo apt install -y snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Rocky/AlmaLinux/RHEL (Snap or DNF)

Option A: Snap (preferred for latest Certbot).

# Ensure EPEL and snapd are available (varies by distro/version)
sudo dnf install -y epel-release snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Option B: Native packages (stable, may lag in features).

sudo dnf install -y epel-release
# For Nginx:
sudo dnf install -y certbot python3-certbot-nginx
# For Apache:
sudo dnf install -y certbot python3-certbot-apache

Point DNS and Open Firewall

  • Set DNS A/AAAA for example.com and www.example.com to your server’s IP.
  • Allow HTTP and HTTPS:
    • UFW: sudo ufw allow 80,443/tcp && sudo ufw reload
    • firewalld: sudo firewall-cmd --permanent --add-service=http --add-service=https && sudo firewall-cmd --reload

Issue and Install a Certificate

Nginx (Automatic Configuration)

This method edits Nginx for you, adds HTTPS blocks, and can enable HTTP->HTTPS redirects.

sudo certbot --nginx -d example.com -d www.example.com

When prompted, choose the redirect option to force HTTPS. Certbot will place certificates under /etc/letsencrypt/ and reload Nginx.

Apache (Automatic Configuration)

For Apache, the plugin updates your virtual hosts, enables SSL, and can add redirects.

sudo certbot --apache -d example.com -d www.example.com

Webroot Mode (Keep Full Control of Config)

Use webroot when you manage server blocks manually or run behind a reverse proxy. Certbot drops a challenge file into /.well-known/acme-challenge/ inside your webroot.

# Replace the webroot path with your site's document root
sudo certbot certonly --webroot -w /var/www/html \
  -d example.com -d www.example.com

Wire your config to the certificate paths:

# Nginx snippet
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Standalone Mode (No Web Server Running)

Standalone spins up a temporary server for validation. Ensure nothing is listening on port 80/443 during issuance.

sudo systemctl stop nginx || true
sudo certbot certonly --standalone -d example.com -d www.example.com
sudo systemctl start nginx

Wildcard Certificates via DNS-01 Challenge

Use DNS validation for *.example.com or when HTTP validation is blocked by proxies/CDNs. With Snap, install the DNS plugin for your provider (example: Cloudflare).

# Install the Cloudflare plugin
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

# Create API credentials
mkdir -p ~/.secrets
nano ~/.secrets/cloudflare.ini
# Add:
# dns_cloudflare_api_token = <YOUR_TOKEN>
chmod 600 ~/.secrets/cloudflare.ini

# Issue wildcard + apex
sudo certbot -a dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
  -d example.com -d '*.example.com'

Certbot will publish and verify TXT records automatically, then fetch your wildcard certificate.

Set Up Auto-Renewal (Hands-Off HTTPS)

Let’s Encrypt certificates are valid for 90 days. Certbot installs a systemd timer (Snap) or cron job (packages) to renew around day 60. Verify it’s working and test a dry run.

# Check timer (Snap installs this automatically)
systemctl list-timers | grep certbot

# Test renewal without waiting
sudo certbot renew --dry-run

If you need to reload services after renewal, add a deploy hook:

sudo certbot renew --deploy-hook "systemctl reload nginx"

On package-based installs without systemd timers, add a cron entry (run crontab -e):

0 3 * * * certbot -q renew --deploy-hook "systemctl reload nginx"

Force HTTPS, HSTS, and Modern TLS

Redirect all HTTP traffic to HTTPS. Certbot can add this automatically; otherwise, configure manually.

# Nginx HTTP -> HTTPS redirect
server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$host$request_uri;
}

Enable HSTS to enforce HTTPS in browsers (be sure your site is fully HTTPS-ready first):

# Inside your HTTPS server block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Optional hardening for Nginx: OCSP stapling and secure ciphers.

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

Real-World Scenarios and Best Practices

  • Reverse proxy/load balancer: Use webroot on each node with a shared path, or prefer DNS-01 to avoid per-node challenges.
  • Behind Cloudflare (orange cloud): HTTP-01 can fail. Switch record to DNS-only during issuance, or use DNS-01 with a Cloudflare plugin.
  • Docker: Run Certbot in a dedicated container with a volume for /etc/letsencrypt; use webroot mode to validate through your app container.
  • Staging/production: Use separate hostnames. Never expose staging to preload HSTS until you’re sure.
  • Backups: Securely back up /etc/letsencrypt (keys and certs). Protect private keys with correct permissions.

Troubleshooting Common Errors

  • Connection refused/timeout: Ensure ports 80/443 are open. Check UFW/firewalld/security groups.
  • Wrong IP in DNS: Confirm A/AAAA records match your server’s public IP and TTL has propagated.
  • Webroot 404 on challenge: Verify the /.well-known/acme-challenge/ path is served by your site’s root and not blocked by rewrites.
  • SELinux blocks: On RHEL-based distros, ensure the webroot has proper contexts or use the Nginx/Apache plugin.
  • Rate limits: Let’s Encrypt limits issuance per domain. Consolidate SANs on one certificate and avoid repeated reissues.
  • Conflicts on port 80: Stop other services or use your web server’s plugin instead of standalone mode.

Verify Your HTTPS

  • Browser padlock: Visit https://example.com in an incognito window.
  • CLI check:
curl -I https://example.com

You should see a 200 or 301/302 to HTTPS with valid certificate details in your browser’s developer tools.

Why Consider YouStable for SSL-Ready Hosting

At YouStable, our Linux hosting, managed VPS, and dedicated solutions include free Let’s Encrypt SSL, automated provisioning, and 24×7 support. If you prefer to focus on your app while we handle certificates, renewals, redirects, and hardening, our team can manage the entire HTTPS lifecycle for you.

FAQ’s – Let’s Encrypt on Linux Server

Is Let’s Encrypt really free and trusted by browsers?

Yes. Let’s Encrypt is a free, publicly trusted CA whose certificates are recognized by all major browsers and operating systems. They’re domain-validated (DV) and ideal for websites, APIs, and microservices that need secure HTTPS.

Should I use Certbot with Nginx or Apache on Ubuntu?

Yes. The simplest path is certbot --nginx or certbot --apache. Certbot will request the certificate, edit your config, enable HTTPS, and optionally add an HTTP->HTTPS redirect automatically.

How do I auto-renew Let’s Encrypt certificates?

Certbot installs a systemd timer or cron entry that renews around every 60 days. Verify with sudo certbot renew --dry-run. If your app needs a reload after renewal, add a deploy hook like --deploy-hook "systemctl reload nginx".

Can I get a wildcard certificate (e.g., *.example.com)?

Yes, use the DNS-01 challenge. Install a DNS plugin for your provider (for example, certbot-dns-cloudflare) and run Certbot with your API credentials to issue both the apex and wildcard domains in one certificate.

Why does HTTP validation fail behind Cloudflare or a load balancer?

ACME must reach your server on port 80/443. Proxies and CDNs can interfere. Temporarily set DNS to “DNS only” (no proxy) during issuance, forward /.well-known/acme-challenge/ correctly, or switch to DNS-01 which doesn’t rely on HTTP routing.

Sanjeet Chauhan

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top