To configure TLS on a Linux server, install a certificate (e.g., Let\u2019s Encrypt via Certbot), enable HTTPS in your web server (Nginx or Apache), enforce TLS 1.3 with modern ciphers, set HSTS and OCSP stapling, redirect HTTP to HTTPS, open port 443, test with SSL Labs, and automate renewals.<\/p>\n\n\n\n
Transport Layer Security (TLS) encrypts data between your server and users\u2019 browsers, securing logins, payments, and APIs while boosting SEO. In this step-by-step guide, you\u2019ll learn how to configure TLS on Linux servers the right way\u2014covering Let\u2019s Encrypt, Nginx\/Apache configs, TLS 1.3 hardening, HSTS, OCSP stapling, testing, and automation.<\/p>\n\n\n\n
This guide is built from real-world hosting experience and SERP research. We\u2019ll use Certbot to issue certificates, then configure secure TLS for Nginx<\/a> or Apache, enforce HTTPS, and harden your setup for an A+ on SSL Labs. You\u2019ll also get troubleshooting tips, automation, and security best practices for 2026 and beyond.<\/p>\n\n\n\n Keep your system patched and ensure traffic to 80\/443 is allowed. Examples for Ubuntu\/Debian and RHEL family:<\/p>\n\n\n\n Let\u2019s Encrypt provides free, trusted TLS certificates. The recommended install method is via Snap (where available), which keeps Certbot updated. If Snap isn\u2019t an option, use your distro\u2019s package manager.<\/p>\n\n\n\n Certbot can configure your web server automatically (plugins) or just obtain a cert (standalone\/webroot). Use DNS records that already point to your server and ensure port 80 is reachable for HTTP validation.<\/p>\n\n\n\n Certbot will update Nginx to serve HTTPS and create a renewal task.<\/p>\n\n\n\n It will enable SSL<\/a>, update the virtual host, and configure redirects if you choose.<\/p>\n\n\n\n Cert files are stored under \/etc\/letsencrypt\/live\/your-domain\/ as fullchain.pem and privkey.pem.<\/p>\n\n\n\n Nginx offers excellent TLS performance. Here\u2019s a hardened server block for TLS 1.2\/1.3 with modern ciphers, OCSP stapling, HSTS, and redirects. Replace example.com and certificate paths accordingly.<\/p>\n\n\n\n Test and reload Nginx:<\/p>\n\n\n\n Apache\u2019s mod_ssl and HTTP\/2 (via mod_http2) provide robust TLS. Enable necessary modules and use a hardened virtual host.<\/p>\n\n\n\n Certbot installs a systemd timer or cron job automatically<\/a>. Verify and test renewal:<\/p>\n\n\n\n Validate your configuration locally and externally. Aim for an A+ on SSL Labs and ensure TLS 1.3 works.<\/p>\n\n\n\n Nginx 1.25+ supports HTTP\/3. This uses TLS 1.3 over QUIC (UDP) for faster page loads on modern browsers. You\u2019ll also need UDP\/443 open.<\/p>\n\n\n\n Note: 0-RTT in TLS 1.3 can improve performance but has replay risks. Enable only if you understand your application\u2019s idempotency.<\/p>\n\n\n\nPrerequisites and Checklist<\/strong><\/h2>\n\n\n\n
\n
Step 1: Update Server and Open Firewall<\/strong><\/h2>\n\n\n\n
# Ubuntu\/Debian\nsudo apt update && sudo apt -y upgrade\nsudo ufw allow 80\/tcp\nsudo ufw allow 443\/tcp\nsudo ufw enable # if not already enabled\n\n# RHEL\/AlmaLinux\/Rocky\nsudo dnf -y update\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\nsudo firewall-cmd --reload<\/code><\/pre>\n\n\n\nStep 2: Install Certbot (Let\u2019s Encrypt)<\/strong><\/h2>\n\n\n\n
Install Certbot via Snap (Ubuntu\/Debian)<\/strong><\/h3>\n\n\n\n
sudo apt -y update\nsudo apt -y install snapd\nsudo snap install core && sudo snap refresh core\nsudo snap install --classic certbot\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot<\/code><\/pre>\n\n\n\nInstall Certbot on RHEL\/AlmaLinux\/Rocky (Snap or DNF)<\/strong><\/h3>\n\n\n\n
# Using snapd\nsudo dnf -y install epel-release\nsudo dnf -y install snapd\nsudo systemctl enable --now snapd.socket\nsudo ln -s \/var\/lib\/snapd\/snap \/snap\nsudo snap install core && sudo snap refresh core\nsudo snap install --classic certbot\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot\n\n# or, if you prefer repo packages (may lag behind):\nsudo dnf -y install certbot<\/code><\/pre>\n\n\n\nStep 3: Issue a TLS Certificate<\/strong><\/h2>\n\n\n\n
Automatic for Nginx<\/strong><\/h3>\n\n\n\n
sudo certbot --nginx -d example.com -d www.example.com<\/code><\/pre>\n\n\n\nAutomatic for Apache<\/strong><\/h3>\n\n\n\n
sudo certbot --apache -d example.com -d www.example.com<\/code><\/pre>\n\n\n\nOptional: Use ECDSA Keys (Faster, Modern)<\/strong><\/h3>\n\n\n\n
# Issue ECDSA certificate (recommended in 2026)\nsudo certbot --nginx -d example.com --key-type ecdsa --elliptic-curve secp384r1<\/code><\/pre>\n\n\n\nStep 4: Configure TLS on Nginx (Secure Defaults)<\/strong><\/h2>\n\n\n\n
# \/etc\/nginx\/sites-available\/example.com.conf\nserver {\n listen 80;\n listen [::]:80;\n server_name example.com www.example.com;\n return 301 https:\/\/example.com$request_uri;\n}\n\nserver {\n listen 443 ssl http2; # Enable HTTP\/2\n listen [::]:443 ssl http2;\n server_name example.com www.example.com;\n\n ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\n ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\n ssl_trusted_certificate \/etc\/letsencrypt\/live\/example.com\/chain.pem;\n\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_prefer_server_ciphers off;\n\n # Modern cipher suites for TLS 1.2 (TLS 1.3 ciphers are implicit)\n ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\n ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\n ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';\n\n ssl_session_timeout 1d;\n ssl_session_cache shared:SSL:50m; # ~400k sessions\n ssl_session_tickets off;\n\n # OCSP stapling\n ssl_stapling on;\n ssl_stapling_verify on;\n resolver 1.1.1.1 1.0.0.1 valid=300s;\n resolver_timeout 5s;\n\n # Enable HSTS AFTER you confirm HTTPS works across your site\/subdomains\n add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n\n # Security headers (baseline)\n add_header X-Content-Type-Options nosniff;\n add_header X-Frame-Options SAMEORIGIN;\n add_header Referrer-Policy no-referrer-when-downgrade;\n\n root \/var\/www\/example.com\/public;\n index index.html index.htm index.php;\n\n location \/ {\n try_files $uri $uri\/ =404;\n }\n}<\/code><\/pre>\n\n\n\nsudo nginx -t && sudo systemctl reload nginx<\/code><\/pre>\n\n\n\nStep 5: Configure TLS on Apache (Secure Defaults)<\/strong><\/h2>\n\n\n\n
# Enable modules (Ubuntu\/Debian)\nsudo a2enmod ssl headers http2 rewrite\nsudo systemctl reload apache2\n\n# Virtual host: \/etc\/apache2\/sites-available\/example.com.conf\n<VirtualHost *:80>\n ServerName example.com\n ServerAlias www.example.com\n Redirect permanent \/ https:\/\/example.com\/\n<\/VirtualHost>\n\n<IfModule mod_ssl.c>\n<VirtualHost *:443>\n ServerName example.com\n ServerAlias www.example.com\n\n Protocols h2 http\/1.1\n SSLEngine on\n SSLCertificateFile \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n SSLCertificateKeyFile \/etc\/letsencrypt\/live\/example.com\/privkey.pem\n SSLCACertificateFile \/etc\/letsencrypt\/live\/example.com\/chain.pem\n\n SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\n SSLHonorCipherOrder off\n SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\\\nECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\\\nECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305\n\n # OCSP stapling\n SSLUseStapling on\n SSLStaplingCache \"shmcb:\/var\/run\/ocsp(128000)\"\n\n # HSTS (enable after confirming HTTPS everywhere)\n Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n\n Header always set X-Content-Type-Options \"nosniff\"\n Header always set X-Frame-Options \"SAMEORIGIN\"\n Header always set Referrer-Policy \"no-referrer-when-downgrade\"\n\n DocumentRoot \/var\/www\/example.com\/public\n <Directory \/var\/www\/example.com\/public>\n AllowOverride All\n Require all granted\n <\/Directory>\n<\/VirtualHost>\n<\/IfModule>\n\n# Enable and reload\nsudo a2ensite example.com.conf\nsudo systemctl reload apache2<\/code><\/pre>\n\n\n\nStep 6: Auto-Renew TLS Certificates<\/strong><\/h2>\n\n\n\n
sudo systemctl list-timers | grep certbot\nsudo certbot renew --dry-run<\/code><\/pre>\n\n\n\nStep 7: Test, Validate, and Troubleshoot<\/strong><\/h2>\n\n\n\n
# Check TLS 1.3 connectivity\nopenssl s_client -connect example.com:443 -tls1_3 -servername example.com < \/dev\/null\n\n# Fetch HTTPS headers\ncurl -I https:\/\/example.com\n\n# Enumerate ciphers (requires nmap scripts)\nnmap --script ssl-enum-ciphers -p 443 example.com<\/code><\/pre>\n\n\n\n\n
Hardening Best Practices for 2026<\/strong><\/h2>\n\n\n\n
\n
Optional: HTTP\/3 (QUIC) Quick Start on Nginx<\/strong><\/h2>\n\n\n\n
server {\n listen 443 ssl http2;\n listen [::]:443 ssl http2;\n listen 443 quic reuseport; # HTTP\/3\n listen [::]:443 quic reuseport;\n\n add_header Alt-Svc 'h3=\":443\"; ma=2592000, h3-29=\":443\"; ma=2592000' always;\n add_header QUIC-Status $quic always;\n # ... (rest same as TLS config above)\n}<\/code><\/pre>\n\n\n\nCommon Mistakes and How to Fix Them<\/strong><\/h2>\n\n\n\n
\n
Performance Tips<\/strong><\/h2>\n\n\n\n
\n
Managed Option: Let YouStable Handle It<\/strong><\/h2>\n\n\n\n