To configure Let\u2019s Encrypt on a Linux server in 2026, install Certbot, open ports 80\/443, and run a one-command installer for Apache or Nginx to fetch and apply a free SSL certificate. Verify HTTPS, enable auto\u2011renewal, and harden TLS settings. This guide covers step\u2011by\u2011step commands, wildcard SSL, and troubleshooting.<\/p>\n\n\n\n
Securing your website with HTTPS is non\u2011negotiable. In this step\u2011by\u2011step guide, you\u2019ll learn how to configure Let\u2019s Encrypt on Linux server using Certbot\u2014the recommended ACME client\u2014as of 2026. We\u2019ll cover Apache, Nginx, wildcard SSL, auto\u2011renewal, firewall rules, security hardening, and real\u2011world troubleshooting learned from 12+ years managing production servers.<\/p>\n\n\n\n
Make sure the basics are in place so certificate issuance doesn\u2019t fail mid\u2011way.<\/p>\n\n\n\n
Let\u2019s Encrypt recommends Certbot with Snap for most distributions. It keeps Certbot updated independent of the OS package manager.<\/p>\n\n\n\n
sudo apt update\nsudo apt install -y snapd\nsudo snap install core\nsudo snap refresh core\nsudo snap install --classic certbot\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot # convenience symlink<\/code><\/pre>\n\n\n\nRHEL, Rocky, AlmaLinux (via Snap)<\/strong><\/h3>\n\n\n\nsudo dnf install -y epel-release\nsudo dnf install -y snapd\nsudo systemctl enable --now snapd.socket\nsudo ln -s \/var\/lib\/snapd\/snap \/snap\nsudo snap install core\nsudo snap install --classic certbot\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot<\/code><\/pre>\n\n\n\nVerify Certbot<\/strong><\/h3>\n\n\n\ncertbot --version<\/code><\/pre>\n\n\n\nIf Snap is not an option, use your distro package or Docker image for Certbot, but expect slower updates.<\/p>\n\n\n\n
Open Firewall Ports 80 and 443<\/strong><\/h2>\n\n\n\nUFW (Ubuntu\/Debian)<\/strong><\/h3>\n\n\n\nsudo ufw allow \"Nginx Full\" # or \"Apache Full\"\nsudo ufw status<\/code><\/pre>\n\n\n\nfirewalld (RHEL\/Rocky\/AlmaLinux)<\/strong><\/h3>\n\n\n\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\nsudo firewall-cmd --reload\nsudo firewall-cmd --list-all<\/code><\/pre>\n\n\n\nGet and Install a Let\u2019s Encrypt Certificate<\/strong><\/h2>\n\n\n\nUse Certbot\u2019s web server plugins for a one\u2011command issuance and configuration. Replace example.com with your domain.<\/p>\n\n\n\n
Nginx (HTTP\u201101, automatic config)<\/strong><\/h3>\n\n\n\nsudo certbot --nginx -d example.com -d www.example.com<\/code><\/pre>\n\n\n\nCertbot edits Nginx server blocks, adds SSL directives, reloads Nginx, and configures HTTP\u2192HTTPS redirection when you choose that option.<\/p>\n\n\n\n
Apache (HTTP\u201101, automatic config)<\/strong><\/h3>\n\n\n\nsudo certbot --apache -d example.com -d www.example.com<\/code><\/pre>\n\n\n\nCertbot updates your virtual host files, enables the SSL module<\/a> if needed, and reloads Apache. Choose to redirect HTTP to HTTPS when prompted.<\/p>\n\n\n\nWebroot (no web server reloads, great for CI\/CD)<\/strong><\/h3>\n\n\n\n# Ensure your webroot is correct; files must be publicly served at \/.well-known\/acme-challenge\/\nsudo certbot certonly --webroot -w \/var\/www\/example \\\n -d example.com -d www.example.com<\/code><\/pre>\n\n\n\nPoint webroot to the directory serving your domain. You\u2019ll then add SSL directives manually to your web server\u2019s config using the issued paths.<\/p>\n\n\n\n
Standalone (no running web server during issuance)<\/strong><\/h3>\n\n\n\n# Stop your web server to free port 80\/443 temporarily\nsudo systemctl stop nginx # or apache2\/httpd\nsudo certbot certonly --standalone -d example.com\nsudo systemctl start nginx<\/code><\/pre>\n\n\n\nStandalone is perfect for first\u2011time issuance on new hosts or automated scripts where the web server isn\u2019t ready yet.<\/p>\n\n\n\n
Wildcard and Multi\u2011Domain SSL (DNS\u201101 Challenge)<\/strong><\/h2>\n\n\n\nWildcard certificates (*.example.com) require DNS\u201101. You can solve it manually by adding TXT records, or automate via DNS plugins (Cloudflare, Route 53, DigitalOcean, etc.).<\/p>\n\n\n\n
Manual DNS (works with any DNS provider)<\/strong><\/h3>\n\n\n\nsudo certbot certonly --manual --preferred-challenges dns \\\n -d example.com -d '*.example.com'<\/code><\/pre>\n\n\n\nCertbot prompts you to create TXT records at _acme-challenge. Wait for DNS propagation<\/a> before pressing Enter. Renewals require repeating this unless automated.<\/p>\n\n\n\nAutomated DNS (Cloudflare example)<\/strong><\/h3>\n\n\n\n# Install the plugin (Snap auto-includes many; otherwise use pip)\n# Example with Cloudflare:\nsudo snap set certbot trust-plugin-with-root=ok\nsudo snap install certbot-dns-cloudflare\n\n# Create API credentials file with limited DNS edit scope:\necho \"dns_cloudflare_api_token = <YOUR_TOKEN>\" | sudo tee \/root\/.cloudflare.ini >\/dev\/null\nsudo chmod 600 \/root\/.cloudflare.ini\n\n# Issue wildcard:\nsudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials \/root\/.cloudflare.ini \\\n -d example.com -d '*.example.com'<\/code><\/pre>\n\n\n\nUse your provider\u2019s corresponding Certbot DNS plugin. This enables fully automated renewals for wildcards.<\/p>\n\n\n\n
Add\/Confirm Web Server SSL Configuration<\/strong><\/h2>\n\n\n\nIf you used the Nginx or Apache installer,<\/a> most of this is done. For webroot\/standalone, add these snippets with your domain and paths.<\/p>\n\n\n\nNginx minimal secure snippet (TLS 1.2\/1.3)<\/strong><\/h3>\n\n\n\nserver {\n listen 443 ssl http2;\n server_name example.com www.example.com;\n\n ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\n ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\n\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_prefer_server_ciphers off;\n ssl_session_cache shared:SSL:10m;\n add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n\n root \/var\/www\/example;\n index index.html index.php;\n}\n\nserver {\n listen 80;\n server_name example.com www.example.com;\n return 301 https:\/\/$host$request_uri;\n}<\/code><\/pre>\n\n\n\nApache minimal secure snippet<\/strong><\/h3>\n\n\n\n<VirtualHost *:443>\n ServerName example.com\n ServerAlias www.example.com\n DocumentRoot \/var\/www\/example\n\n SSLEngine on\n SSLCertificateFile \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n SSLCertificateKeyFile \/etc\/letsencrypt\/live\/example.com\/privkey.pem\n\n Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"\n Protocols h2 http\/1.1\n<\/VirtualHost>\n\n<VirtualHost *:80>\n ServerName example.com\n ServerAlias www.example.com\n Redirect permanent \/ https:\/\/example.com\/\n<\/VirtualHost><\/code><\/pre>\n\n\n\nReload your server after changes: sudo systemctl reload nginx<\/code> or sudo systemctl reload apache2\/httpd<\/code>.<\/p>\n\n\n\nAuto\u2011Renewal and Health Checks<\/strong><\/h2>\n\n\n\nSnap installs a systemd timer for Certbot that checks twice daily and renews when 30 days remain. Confirm timers and dry\u2011run renewals.<\/p>\n\n\n\n
# Confirm timer\nsystemctl list-timers | grep certbot\n\n# Dry-run test\nsudo certbot renew --dry-run<\/code><\/pre>\n\n\n\nThe web server is reloaded automatically by installer hooks. For custom setups, add a deploy hook:<\/p>\n\n\n\n
sudo certbot renew --deploy-hook \"systemctl reload nginx\"<\/code><\/pre>\n\n\n\nMonitor expiry via:<\/p>\n\n\n\n
sudo openssl x509 -enddate -noout -in \/etc\/letsencrypt\/live\/example.com\/cert.pem<\/code><\/pre>\n\n\n\nVerification and Testing<\/strong><\/h2>\n\n\n\n\n- Browser test: Visit https:\/\/example.com and check the padlock.<\/li>\n\n\n\n
- CLI test:
curl -I https:\/\/example.com<\/code> should return HTTP\/2 200 with a valid certificate chain.<\/li>\n\n\n\n- Deep test: Run your domain on SSL Labs Server Test for grade A or A+.<\/li>\n<\/ul>\n\n\n\n
Troubleshooting Common Issues (2026)<\/strong><\/h2>\n\n\n\n\n- Challenge failed (HTTP\u201101): Ensure DNS A\/AAAA points to this server. Confirm port 80 is open and not blocked by a proxy\/WAF. Disable maintenance redirects for
\/.well-known\/acme-challenge\/<\/code>.<\/li>\n\n\n\n- IPv6 mismatch: Your AAAA record must point to the same server serving HTTP\u201101. Otherwise, remove or correct it.<\/li>\n\n\n\n
- Cloudflare\/CDN: For HTTP\u201101, temporarily set DNS to \u201cDNS only\u201d (grey cloud) or use the DNS\u201101 method instead.<\/li>\n\n\n\n
- Rate limits: Avoid repeated requests. Use the Let\u2019s Encrypt staging endpoint (
--dry-run<\/code> or --test-cert<\/code>) during testing.<\/li>\n\n\n\n- File permissions: Private keys in
\/etc\/letsencrypt\/live\/<\/code> should be root-owned. Don\u2019t change to world\u2011readable.<\/li>\n\n\n\n- Mixed content: Update site URLs, scripts, and images to HTTPS<\/a> to prevent padlock warnings.<\/li>\n<\/ul>\n\n\n\n
Best Practices for Production<\/strong><\/h2>\n\n\n\n\n- Enforce HTTPS and enable HSTS after confirming all assets work over HTTPS.<\/li>\n\n\n\n
- Keep Certbot updated (Snap refreshes automatically). Review renewal logs in
\/var\/log\/letsencrypt\/<\/code>.<\/li>\n\n\n\n- Use DNS\u201101 for wildcards and autoscale environments behind load balancers.<\/li>\n\n\n\n
- Store infrastructure\u2011as\u2011code: version your Nginx\/Apache configs and renewal hooks.<\/li>\n\n\n\n
- Back up
\/etc\/letsencrypt\/<\/code> and your web server config. Never expose private keys publicly.<\/li>\n<\/ul>\n\n\n\nWhen to Consider a Paid SSL Instead<\/strong><\/h2>\n\n\n\nLet\u2019s Encrypt provides domain\u2011validated SSL, perfect for most websites and apps. Consider a paid OV\/EV certificate if you need organization validation, private trust chains, or strict vendor requirements (some legacy environments, embedded\/IoT, or compliance frameworks). If you host with YouStable, our team can help you choose the right SSL and deploy it end\u2011to\u2011end.<\/p>\n\n\n\n
Why Host with YouStable<\/strong><\/h2>\n\n\n\nOn YouStable\u2019s Linux VPS and Dedicated Servers, Let\u2019s Encrypt is seamless: one\u2011click provisioning on supported stacks, optimized firewalls, HTTP\/2\/3 enabled, and 24\/7 experts to troubleshoot renewals, DNS\u201101 automation, or reverse proxy edge cases. Focus on growth while we keep your SSL fast, secure<\/a>, and up\u2011to\u2011date.<\/p>\n\n\n\nFAQs: Configure Let\u2019s Encrypt on Linux (2026)<\/strong><\/h2>\n\n\n\t\t\n\t\t\t\tIs Let\u2019s Encrypt really free and secure?<\/h3>\t\t\t\t