Prerequisites and Initial Setup
Before you configure Nginx SSL with Let's Encrypt on your Ubuntu VPS, get a few basics in place. Your domain must point to your server's IP address, and Nginx should already serve your website on port 80.
Check that your domain resolves correctly:
nslookup yourdomain.comVerify Nginx is running and accessible:
sudo systemctl status nginx
curl -I http://yourdomain.comYou should see a 200 OK response. If your site isn't loading over HTTP, SSL won't work either.
Install Certbot and Nginx Plugin
Certbot is the official Let's Encrypt client. On Ubuntu 22.04 and newer, install it directly from the package repository:
sudo apt update
sudo apt install certbot python3-certbot-nginx -yThe python3-certbot-nginx plugin automatically configures your Nginx virtual hosts. This saves you from manually editing configuration files.
Verify the installation:
certbot --versionYou should see version 1.21 or newer for optimal compatibility.
Obtain Your SSL Certificate
Run Certbot with the Nginx plugin to obtain and install your certificate:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comCertbot will ask for an email address for renewal notifications and whether you agree to the terms of service. It then validates domain ownership by placing temporary files in your web root.
When prompted about redirecting HTTP to HTTPS, choose option 2 to redirect all traffic automatically. This ensures visitors always use the encrypted connection.
For hosting customers running multiple sites, you can obtain certificates for specific domains without affecting others. This works particularly well on Hostperl VPS hosting where you might manage several client websites.
Verify SSL Configuration
After Certbot completes, test your SSL setup. Open your browser and navigate to https://yourdomain.com. You should see a lock icon in the address bar.
Check the certificate details in your browser:
- Issued by: Let's Encrypt Authority
- Valid for 90 days from issue date
- Subject alternative names include both your naked domain and www subdomain
Use SSL Labs' free SSL test for a comprehensive analysis:
curl -s "https://api.ssllabs.com/api/v3/analyze?host=yourdomain.com&publish=off&startNew=on"Or visit https://www.ssllabs.com/ssltest/ in your browser. A properly configured Let's Encrypt certificate typically scores A or A+.
Understanding Nginx SSL Configuration Changes
Certbot automatically modifies your Nginx virtual host configuration. Here's what it added:
sudo nano /etc/nginx/sites-available/yourdomain.comYou'll see new SSL-specific directives:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Your existing location blocks
location / {
try_files $uri $uri/ =404;
}
}The options-ssl-nginx.conf file contains Mozilla's recommended SSL settings. These include secure cipher suites and protocol versions that block older, vulnerable connections.
Set Up Automatic Certificate Renewal
Let's Encrypt certificates expire every 90 days. Ubuntu's Certbot package includes a systemd timer that renews certificates automatically.
Check the renewal timer status:
sudo systemctl status certbot.timerTest the renewal process without actually renewing:
sudo certbot renew --dry-runThis command simulates renewal for all certificates on your server. You should see "Congratulations, all simulated renewals succeeded" if everything is configured correctly.
The timer runs twice daily and only renews certificates within 30 days of expiration. After successful renewal, it automatically reloads Nginx to use the new certificates.
Add Security Headers for Enhanced Protection
While Let's Encrypt provides encryption, additional security headers protect against common web vulnerabilities. Add these to your Nginx SSL server block:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# SSL configuration (existing lines)
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Security headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Your location blocks
}Test the configuration and reload Nginx:
sudo nginx -t
sudo systemctl reload nginxThe HSTS header tells browsers to always use HTTPS for your domain, even if users type HTTP URLs.
Troubleshooting Common SSL Issues
If certificate installation fails, check these common problems:
Domain validation fails: Ensure your domain resolves to the server and Nginx is serving content on port 80. Certbot needs to place validation files in your web root.
Rate limits: Let's Encrypt allows 50 certificates per domain per week. If you hit this limit, wait a week or use staging certificates for testing:
sudo certbot --nginx --staging -d yourdomain.comNginx configuration errors: After Certbot runs, always test your Nginx configuration:
sudo nginx -tFix any syntax errors before reloading Nginx.
Firewall blocking HTTPS: Ensure port 443 is open:
sudo ufw allow 443/tcp
sudo ufw statusMany of these issues are easier to resolve on managed VPS platforms where technical support can help with server-level configuration problems.
Managing Multiple Domains and Subdomains
For websites with multiple subdomains, you can obtain wildcard certificates or add specific subdomains to existing certificates.
Add a subdomain to an existing certificate:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.comRequest a wildcard certificate (requires DNS validation):
sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com"Wildcard certificates require you to add TXT records to your DNS zone. This method works well when you manage DNS through your hosting provider's control panel.
For existing DNS configurations, the manual approach gives you complete control over the validation process.
Setting up SSL certificates is just one part of securing your VPS infrastructure. Hostperl's managed VPS hosting includes SSL support, automated backups, and 24/7 technical support to help you maintain secure, high-performance websites. Our VPS plans come with full root access so you can configure SSL exactly how your applications need it.
Frequently Asked Questions
How long do Let's Encrypt certificates last?
Let's Encrypt certificates are valid for 90 days. The automatic renewal process begins when certificates have 30 days or less remaining, ensuring you never experience an expired certificate outage.
Can I use Let's Encrypt certificates for commercial websites?
Yes, Let's Encrypt certificates provide the same level of encryption as commercial certificates. They're trusted by all major browsers and suitable for any website, including e-commerce and business applications.
What happens if automatic renewal fails?
Certbot sends email notifications when renewal fails. Check your server logs and ensure your domain still resolves correctly. Most failures are due to DNS changes or firewall modifications that block validation.
Do I need to restart Nginx after certificate renewal?
No, Certbot's renewal process automatically reloads Nginx configuration without interrupting active connections. This zero-downtime renewal keeps your website accessible throughout the process.
Can I move Let's Encrypt certificates to another server?
While technically possible, it's easier to generate new certificates on the destination server. Let's Encrypt certificates are tied to domain validation, not specific servers, so you can obtain identical certificates on any server where you control the domain.
