{"id":194,"date":"2025-09-24T16:22:40","date_gmt":"2025-09-24T16:22:40","guid":{"rendered":"https:\/\/wehaveservers.com\/blog\/?p=194"},"modified":"2025-09-24T16:22:40","modified_gmt":"2025-09-24T16:22:40","slug":"lets-encrypt-on-nginx-free-ssl-with-auto-renew-2025","status":"publish","type":"post","link":"https:\/\/wehaveservers.com\/blog\/linux-sysadmin\/lets-encrypt-on-nginx-free-ssl-with-auto-renew-2025\/","title":{"rendered":"Let\u2019s Encrypt on Nginx: Free SSL with Auto-Renew (2025)"},"content":{"rendered":"\n
\"letencrypt\"<\/figure>\n\n\n\n



Let\u2019s Encrypt on Nginx: Free SSL with Auto-Renew (2025)
<\/p>\n\n\n\n

Let\u2019s Encrypt on Nginx: Free SSL with Auto-Renew (2025)<\/h1>\n\n\n\n

In 2025, HTTPS is no longer optional. Browsers flag HTTP as insecure, SEO rankings drop without TLS, and modern APIs often require encrypted transport. Fortunately, Let\u2019s Encrypt<\/strong> makes it easy to deploy free SSL certificates<\/strong> on your Nginx web server with automated renewal. This guide walks you through a full production-ready setup \u2014 including certbot installation, secure TLS configuration, HTTP\/2, OCSP stapling, and auto-renewal<\/strong>.<\/p>\n\n\n\n

Whether you\u2019re running a VPS, dedicated server, or colocated machine, Let\u2019s Encrypt allows you to deploy HTTPS at scale<\/strong> with zero cost and minimal manual work.<\/p>\n\n\n\n

\n\n\n\n

\ud83d\udd39 Step 1: Install Certbot<\/h2>\n\n\n\n

Let\u2019s Encrypt certificates are obtained via the certbot<\/code> client.<\/p>\n\n\n\n

# Ubuntu\/Debian\nsudo apt update\nsudo apt install certbot python3-certbot-nginx -y\n\n# RHEL\/CentOS\nsudo dnf install certbot python3-certbot-nginx -y\n<\/code><\/pre>\n\n\n\n
Verify version:<\/p>\n\n\n\n
certbot --version\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 2: Prepare Nginx Server Block<\/h2>\n\n\n\n
Configure your site in \/etc\/nginx\/sites-available\/example.conf<\/code>:<\/p>\n\n\n\n
server {\n    listen 80;\n    server_name example.com www.example.com;\n\n    root \/var\/www\/html;\n    index index.html index.php;\n}\n<\/code><\/pre>\n\n\n\n
Check config:<\/p>\n\n\n\n
sudo nginx -t\nsudo systemctl reload nginx\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 3: Request SSL Certificate<\/h2>\n\n\n\n
Run certbot with Nginx plugin:<\/p>\n\n\n\n
sudo certbot --nginx -d example.com -d www.example.com\n<\/code><\/pre>\n\n\n\n
Certbot automatically edits your Nginx config to include SSL parameters. Certificates are stored in:<\/p>\n\n\n\n
\/etc\/letsencrypt\/live\/example.com\/\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 4: Secure TLS Configuration<\/h2>\n\n\n\n
Replace weak defaults with modern TLS settings (\/etc\/nginx\/snippets\/ssl.conf<\/code>):<\/p>\n\n\n\n
ssl_protocols TLSv1.3 TLSv1.2;\nssl_prefer_server_ciphers on;\nssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';\nssl_session_cache shared:SSL:50m;\nssl_session_timeout 1d;\nssl_session_tickets off;\n\nssl_stapling on;\nssl_stapling_verify on;\nresolver 1.1.1.1 8.8.8.8 valid=300s;\n<\/code><\/pre>\n\n\n\n
Then reference snippet in server block:<\/p>\n\n\n\n
include snippets\/ssl.conf;\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 5: Enable HTTP\/2 and Redirects<\/h2>\n\n\n\n
Force all traffic over HTTPS:<\/p>\n\n\n\n
server {\n    listen 80;\n    server_name example.com www.example.com;\n    return 301 https:\/\/$host$request_uri;\n}\n<\/code><\/pre>\n\n\n\n
Enable HTTP\/2 in SSL block:<\/p>\n\n\n\n
listen 443 ssl http2;\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 6: Automatic Renewal<\/h2>\n\n\n\n
Let\u2019s Encrypt certs expire every 90 days. Certbot installs a systemd timer:<\/p>\n\n\n\n
systemctl list-timers | grep certbot\n<\/code><\/pre>\n\n\n\n
Test renewal:<\/p>\n\n\n\n
sudo certbot renew --dry-run\n<\/code><\/pre>\n\n\n\n
If using cron:<\/p>\n\n\n\n
0 3 * * * certbot renew --quiet && systemctl reload nginx\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udd39 Step 7: Advanced Optimizations<\/h2>\n\n\n\n