HTTPS is the standard. Let’s Encrypt + Certbot = automatic SSL in minutes.
Installation¶
sudo apt install certbot python3-certbot-nginx
Certificate¶
sudo certbot –nginx -d example.com -d www.example.com sudo certbot renew –dry-run
Configuration¶
server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; } server { listen 80; return 301 https://$server_name$request_uri; }
Automatic Renewal and Best Practices¶
Certbot automatically sets up a cron job for certificate renewal — Let’s Encrypt certificates are valid for 90 days and renew 30 days before expiration. The command certbot renew --dry-run verifies that automatic renewal works correctly. For wildcard certificates (*.example.com), you need a DNS challenge instead of an HTTP challenge.
For production deployments, we recommend SSL configuration with modern cipher suites, an HSTS header, and OCSP stapling. The Mozilla SSL Configuration Generator creates an optimal Nginx/Apache configuration for your use case. In containerized environments, consider Traefik or Caddy, which automatically obtain and renew Let’s Encrypt certificates without manual Certbot configuration.
HTTPS for Everyone¶
Certbot — free and automatic. Set it up once, forget about it.