ShortIQ

ShortIQ

DevOps

How to Install a Free SSL Certificate on Ubuntu with Let’s Encrypt and Nginx

Step-by-step guide to installing a free HTTPS certificate on Ubuntu using Certbot and Let’s Encrypt with Nginx. Covers Certbot installation, certificate issuance, automatic renewal, and common errors.

June 29, 2026ShortIQ Editorial Team

Advertisement

What Is Let’s Encrypt and Why Use It?

Let’s Encrypt is a free, automated certificate authority run by the non-profit Internet Security Research Group. It issues SSL/TLS certificates valid for 90 days that browsers trust by default. Before Let’s Encrypt, a domain certificate cost between $50 and $200 per year and required manual renewal. Today every website can run HTTPS for free with automatic renewal.

Certbot is the official Let’s Encrypt client maintained by the Electronic Frontier Foundation. On Ubuntu with Nginx, Certbot issues the certificate and automatically edits your Nginx configuration to redirect HTTP to HTTPS and enable the correct SSL settings. The entire process takes about 5 minutes on a server where Nginx is already running.

  • Free: Let’s Encrypt certificates cost nothing — no billing, no credit card
  • Trusted: all major browsers and operating systems trust Let’s Encrypt certificates
  • Automatic renewal: Certbot installs a systemd timer that renews certificates before they expire
  • Required for SEO: Google uses HTTPS as a ranking signal; HTTP sites show a Not Secure warning
  • Required for modern web features: service workers, geolocation, and camera APIs require HTTPS

Prerequisites: What You Need Before Starting

Before running Certbot you need three things: a domain name that points to your server IP via an A record (DNS must already be propagated), a running Nginx installation on Ubuntu, and port 80 open in your firewall. Certbot uses port 80 to verify domain ownership using the HTTP-01 challenge — it temporarily serves a file at http://yourdomain.com/.well-known/acme-challenge/ and Let’s Encrypt fetches it to confirm you control the domain.

Check your DNS is pointing correctly with the dig command before running Certbot. If the A record has not propagated yet, Certbot will fail with a connection error. DNS propagation typically takes 5 to 30 minutes for new records with a short TTL.

bash
# Verify DNS points to your server before running Certbot
dig +short yourdomain.com
# Should return your server IP address

# Verify Nginx is installed and running
systemctl status nginx

# Verify port 80 is open (using ufw)
sudo ufw status
# If port 80 is not listed, open it:
sudo ufw allow 'Nginx Full'

Step 1: Install Certbot on Ubuntu

Certbot is available in the Ubuntu snap store. The snap package is the recommended installation method because it ships the latest Certbot version independently of the Ubuntu package repository. The snap version updates itself automatically.

bash
# Remove any old certbot installed via apt (to avoid conflicts)
sudo apt remove certbot

# Install Certbot via snap
sudo snap install --classic certbot

# Create the symlink so certbot command is available globally
sudo ln -s /snap/bin/certbot /usr/bin/certbot

# Confirm the installation
certbot --version
# Expected output: certbot 2.x.x

Step 2: Issue the Certificate and Configure Nginx

The certbot --nginx command does two things: it contacts Let’s Encrypt to issue the certificate for your domain, and it automatically edits your Nginx server block to enable HTTPS and redirect HTTP traffic. You only need to provide the domain name — Certbot handles everything else.

If you have multiple domains or want to include www and non-www, pass them both with -d flags. Certbot issues a single certificate that covers all the domains you list.

bash
# Issue certificate for your domain (Nginx plugin edits config automatically)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Certbot will ask:
# 1. Your email address (for renewal reminders)
# 2. Whether to agree to the Terms of Service
# 3. Whether to redirect HTTP to HTTPS (choose 2: Redirect)

# After success you will see:
# Successfully deployed certificate for yourdomain.com
# Congratulations! ... your certificate and chain have been saved at:
# /etc/letsencrypt/live/yourdomain.com/fullchain.pem

# Verify HTTPS is working
curl -I https://yourdomain.com
# Look for: HTTP/2 200 and strict-transport-security header

Step 3: Verify and Test Auto-Renewal

Let’s Encrypt certificates expire after 90 days. Certbot installs a systemd timer (certbot.timer) that runs twice daily and renews any certificate that expires in less than 30 days. You should verify the timer is active and test that the renewal process works with a dry run before relying on it.

The dry run simulates the renewal without actually replacing the certificate. If it completes without errors, the real renewal will work the same way. Run this check immediately after installation so you have time to fix any issues before the certificate actually expires.

bash
# Check that the Certbot renewal timer is active
systemctl status snap.certbot.renew.timer
# Should show: active (waiting)

# Run a dry-run renewal to test the process
sudo certbot renew --dry-run
# Should end with: Simulated renewal succeeded

# List all certificates and their expiry dates
sudo certbot certificates
# Shows: domain, expiry date, certificate path

# Confirm Nginx reloads after renewal (Certbot does this automatically)
# The renewal hook is at: /etc/letsencrypt/renewal-hooks/deploy/

What Your Nginx Config Looks Like After Certbot

Certbot edits your Nginx server block in /etc/nginx/sites-available/ to add the SSL certificate paths, listen on port 443, and redirect port 80 to HTTPS. The result is a working HTTPS configuration without you writing a single line of SSL config. You can review the changes Certbot made to verify the configuration is correct.

nginx
# /etc/nginx/sites-available/yourdomain.com
# After Certbot runs, your file will look similar to this:

server {
    # Certbot adds these SSL lines:
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    root /var/www/yourdomain.com;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

# Certbot also adds a redirect block:
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

Troubleshooting Common Certbot Errors

The most common Certbot errors all have straightforward fixes. Connection refused or timeout errors mean port 80 is blocked by a firewall. DNS problem errors mean the domain A record does not yet point to your server IP. Too many certificates errors mean you have hit the Let’s Encrypt rate limit of 5 duplicate certificates per week — use the --staging flag to test without consuming your quota.

If Nginx fails to start after Certbot edits the config, test the configuration with nginx -t before reloading. A syntax error in the Nginx config (often from a missing semicolon or brace) will prevent Nginx from starting and take your site down until fixed.

  • Connection refused: open port 80 with sudo ufw allow 80 and check your cloud provider security group
  • DNS problem: verify dig +short yourdomain.com returns your server IP; wait for propagation
  • Too many certificates: use --staging to test without consuming rate limit quota
  • Nginx config error: run sudo nginx -t to find the syntax error before reloading
  • Permission denied on /etc/letsencrypt: always run certbot commands with sudo

FAQ

Is Let’s Encrypt really free?

Yes. Let’s Encrypt certificates are completely free — no billing, no credit card, no hidden fees. The certificates are identical in browser trust to paid certificates. The only difference is that Let’s Encrypt certificates expire after 90 days (vs 1-2 years for paid ones), but Certbot renews them automatically so you never need to think about it.

How long does it take to install an SSL certificate with Certbot?

About 5 minutes from start to finish if your DNS is already pointing to the server and Nginx is running. The snap install takes about 30 seconds, the certbot --nginx command takes about 30 seconds, and the dry-run test takes about 30 seconds. The rest is reading the prompts and confirming.

Do I need to renew the certificate manually?

No. Certbot installs a systemd timer that checks for renewal twice daily and renews automatically when the certificate is within 30 days of expiry. You can verify the timer is active with systemctl status snap.certbot.renew.timer. Run sudo certbot renew --dry-run once after installation to confirm renewal will work.

What if my domain does not have a www subdomain?

Just pass only your root domain: sudo certbot --nginx -d yourdomain.com. If you want to support www later, you need a separate DNS A record for www pointing to your server, then re-run Certbot with both -d yourdomain.com -d www.yourdomain.com to expand the certificate.

Can I use this for a Node.js or Python app behind Nginx?

Yes. The process is identical regardless of what is running behind Nginx. Certbot secures the Nginx layer — your app only needs to listen on a local port (like 3000 or 8000), and Nginx proxies HTTPS traffic to it. The Nginx proxy_pass configuration and the SSL certificate configuration are independent.

What is the Let’s Encrypt rate limit?

Let’s Encrypt allows 5 duplicate certificates per domain per week. You hit this limit if you run certbot multiple times during testing. To avoid consuming your quota during testing, use the --staging flag: sudo certbot --nginx --staging -d yourdomain.com. Staging certificates are not browser-trusted but the process is identical for testing purposes.

What is the difference between Let’s Encrypt and a paid SSL certificate?

Browser trust and encryption strength are identical. The differences are: Let’s Encrypt issues only Domain Validated (DV) certificates (verifies domain ownership), while paid providers also offer Organization Validated (OV) and Extended Validation (EV) certificates (verify the company identity). EV certificates used to show a green company name in browsers but most browsers removed that indicator. For nearly all websites, a free Let’s Encrypt DV certificate is indistinguishable from a paid one.

Related free tools

If you want to turn this topic into action, use one of ShortIQ's free tools for campaign planning, UTM structure, or QR distribution.

Continue Reading

Explore more guides on link shortener SaaS strategy, Bitly alternatives, and white label link management.

Free newsletter

Get new guides in your inbox

We publish practical guides on dev tooling, prompt engineering, marketing workflows, and deployment. No fluff — straight to the point.

No spam. Unsubscribe any time.

Was this article helpful?

Tell us if this guide solved the problem or what was still missing. We use this to improve the blog and only follow up if you explicitly allow it.

We use this to improve tutorials, examples, and technical depth.