Let’s Encrypt on Nginx: Free SSL with Auto-Renew (2025)

letencrypt



Let’s Encrypt on Nginx: Free SSL with Auto-Renew (2025)

Let’s Encrypt on Nginx: Free SSL with Auto-Renew (2025)

In 2025, HTTPS is no longer optional. Browsers flag HTTP as insecure, SEO rankings drop without TLS, and modern APIs often require encrypted transport. Fortunately, Let’s Encrypt makes it easy to deploy free SSL certificates on your Nginx web server with automated renewal. This guide walks you through a full production-ready setup — including certbot installation, secure TLS configuration, HTTP/2, OCSP stapling, and auto-renewal.

Whether you’re running a VPS, dedicated server, or colocated machine, Let’s Encrypt allows you to deploy HTTPS at scale with zero cost and minimal manual work.

🔹 Step 1: Install Certbot

Let’s Encrypt certificates are obtained via the certbot client.

# Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx -y

# RHEL/CentOS
sudo dnf install certbot python3-certbot-nginx -y

Verify version:

certbot --version

🔹 Step 2: Prepare Nginx Server Block

Configure your site in /etc/nginx/sites-available/example.conf:

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/html;
    index index.html index.php;
}

Check config:

sudo nginx -t
sudo systemctl reload nginx

🔹 Step 3: Request SSL Certificate

Run certbot with Nginx plugin:

sudo certbot --nginx -d example.com -d www.example.com

Certbot automatically edits your Nginx config to include SSL parameters. Certificates are stored in:

/etc/letsencrypt/live/example.com/

🔹 Step 4: Secure TLS Configuration

Replace weak defaults with modern TLS settings (/etc/nginx/snippets/ssl.conf):

ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;

Then reference snippet in server block:

include snippets/ssl.conf;

🔹 Step 5: Enable HTTP/2 and Redirects

Force all traffic over HTTPS:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Enable HTTP/2 in SSL block:

listen 443 ssl http2;

🔹 Step 6: Automatic Renewal

Let’s Encrypt certs expire every 90 days. Certbot installs a systemd timer:

systemctl list-timers | grep certbot

Test renewal:

sudo certbot renew --dry-run

If using cron:

0 3 * * * certbot renew --quiet && systemctl reload nginx

🔹 Step 7: Advanced Optimizations

  • OCSP Stapling: Reduces TLS handshake latency.
  • HSTS (Strict Transport Security): Prevents downgrade attacks: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  • IPv6: Ensure dual-stack support (listen [::]:443 ssl http2;).
  • Certbot Hooks: Run post-renew scripts, e.g. reload HAProxy or restart Docker containers.

🔹 Step 8: Monitoring & Troubleshooting

Check logs:

journalctl -u certbot

Use SSL Labs to scan your domain and target an A+ rating.

Common errors:

  • DNS misconfigured: Ensure domain resolves to VPS IP.
  • Port 80 blocked: Let’s Encrypt requires port 80 for HTTP challenge.
  • Rate limits: 50 certificates/week per domain.

✅ Conclusion

With Let’s Encrypt and Nginx, deploying HTTPS is free, automated, and secure. By combining certbot automation, hardened TLS configuration, HTTP/2, OCSP stapling, and auto-renewal, you ensure continuous SSL coverage without manual intervention. In 2025, this setup is not just best practice — it’s a baseline requirement. At WeHaveServers.com, we deploy Let’s Encrypt SSL by default for all hosted services, ensuring client applications are secure, compliant, and SEO-friendly.

❓ FAQ

Is Let’s Encrypt really free?

Yes, it’s completely free, backed by the Internet Security Research Group (ISRG).

How often do I need to renew certificates?

Every 90 days. Certbot automates this process via cron or systemd timers.

Can I use Let’s Encrypt for wildcard domains?

Yes, via DNS challenge. Example: *.example.com requires API access to your DNS provider.

Does Let’s Encrypt support TLS 1.3?

Yes, and it should always be enabled for modern browsers and APIs.

Can I use Let’s Encrypt in production?

Absolutely. Millions of businesses rely on it. Just ensure proper monitoring of renewals.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *