Why You Should Use Let’s Encrypt
The certificate authority Let’s Encrypt (LE) provides free, automated, trusted SSL/TLS certificates so you can serve your website over HTTPS, which is essential for security, user-trust and SEO.
Key benefits
-
It’s free — no cost for domain-validated certificates.
-
It’s automated — certificate issuance & renewal can be scripted or handled via the tool Certbot.
-
It’s widely trusted — major browsers, systems accept LE certificates.
-
Helps with SEO and user-trust: HTTPS is a ranking signal, users see the lock icon, and data is encrypted.
-
It encourages good security hygiene (short certificate lifetimes — 90 days — encourage automation).
In short: if you run your own server (VPS, cloud VM, dedicated) and host a website or web-application, using Let’s Encrypt to enable HTTPS is low-hanging fruit for improving security and SEO.
General Prerequisites (All Systems)
Before proceeding, make sure:
-
You have root or a sudo-enabled user on the server.
-
Your domain name (e.g.,
yourdomain.com) points (via a DNS A record) to the server’s public IP address. -
You have a working web-server (e.g. Apache or Nginx) running and publicly accessible on port 80 (HTTP) — Let’s Encrypt uses HTTP verification by default.
-
Outgoing connections from the server to the internet are allowed (so the ACME challenge can complete).
-
A firewall permits at least inbound ports 80 and (for HTTPS) 443.
Installing Let’s Encrypt Certificates with Certbot
We’ll cover instructions for Ubuntu/Debian, CentOS, AlmaLinux/Rocky Linux. While the process is largely similar, package names and commands vary.
Ubuntu (e.g., 20.04, 22.04) / Debian
Then, to obtain and install the certificate:
Or for Apache:
Certbot will handle domain validation, certificate issuance and web-server configuration.
Renewal: Certificates from Let’s Encrypt are valid for 90 days. Certbot installs a timer or cron job to auto-renew. You can test renewal with:
CentOS / RHEL (e.g., CentOS 7/8)
Then run:
Or with Apache plugin.
Set up renewal (if not automatic):
AlmaLinux / Rocky Linux
These are RHEL-forks, so you treat them like CentOS/RHEL:
Setup auto-renewal similar to above.
Case-by-Case Quick Reference Table
| OS | Package Manager | Command to Install Certbot | Typical Command to Obtain Certificate |
|---|---|---|---|
| Ubuntu / Debian | apt | sudo apt install certbot python3-certbot-nginx |
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com |
| CentOS 7/8 | yum | sudo yum install certbot python3-certbot-nginx |
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com |
| AlmaLinux / Rocky Linux | dnf | sudo dnf install certbot python3-certbot-nginx |
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com |
Additional Configuration & Best Practices
-
HTTP → HTTPS Redirect: After certificate installation, ensure your server forces HTTPS (redirect HTTP traffic). Many Certbot plugins can configure this automatically.
-
HSTS Header: For extra security, set
Strict-Transport-Securityheader (warning: once set, returning to HTTP is tricky). -
Renewal Verification: Run
sudo certbot renew --dry-runoccasionally to verify that renewal will succeed. -
Multiple Domains/Subdomains: You can include many
-darguments with Certbot to cover multiple domains. -
Wildcard Certificates: Let’s Encrypt supports wildcard certificates (e.g.,
*.yourdomain.com), but often require DNS-challenge setup. -
Logging & expiry check: Certificate files live under
/etc/letsencrypt/live/yourdomain.com/. Check expiry withsudo certbot certificates.
What If You Run a Non-Standard Stack?
If you don’t use Apache/Nginx or have a special setup (load-balancer, reverse proxy, CDN) you may need to use more manual configuration:
-
Use
certbot certonlyto obtain a certificate without automatic web-server plugin. -
Upload the generated files (
fullchain.pem,privkey.pem) into your configuration manually. -
Use DNS-challenge if HTTP challenge is blocked.
-
If your hosting panel (e.g., cPanel) supports Let’s Encrypt plugin, you can install from there.
Summary & Final Thoughts
By installing Let’s Encrypt and configuring HTTPS on your server, you improve security, user trust and SEO. The process is straightforward on modern distributions when using Certbot. Key steps: install Certbot → run with your domain → set up auto-renewal → ensure redirect & good configuration.
Remember: Certificates must renew every 90 days, so automation is key. Monitor and test renewals.
If you follow the above tutorial on Debian, Ubuntu, CentOS, AlmaLinux or Rocky Linux, you’ll have a robust HTTPS setup in no time.