SSL (Secure Sockets Layer)—more accurately called TLS (Transport Layer Security) today—is the technology that encrypts data traveling between a user's browser and your web server. Without SSL, passwords, credit card numbers, and personal information are transmitted in plain text, vulnerable to interception by anyone on the same network. In 2026, SSL is no longer optional: browsers like Chrome and Firefox flag non-HTTPS sites as "Not Secure," search engines penalize unencrypted sites in rankings, and visitors simply do not trust sites without the padlock icon.
The good news is that SSL certificates are now free thanks to Let's Encrypt, and the setup process is almost entirely automated. This guide shows you how to configure free SSL certificates on both Apache and Nginx servers using Certbot, handle renewals, and troubleshoot common issues.
Need a Server for SSL Setup?
InterServer VPS from $2.50/month with full root access. Install any web server and configure free SSL certificates.
What Is SSL/TLS and Why Do You Need It?
SSL/TLS serves three critical purposes:
- Encryption: Scrambles data so that only the intended recipient (your server) can read it. Without encryption, anyone between the user and server can intercept passwords and sensitive data.
- Authentication: Proves to visitors that your site is genuinely operated by you and not an impostor. The certificate authority verifies your identity (to varying degrees depending on certificate type).
- Data Integrity: Ensures that data has not been tampered with in transit. If anyone modifies the encrypted data, the connection breaks.
Beyond security, SSL provides tangible business benefits: Google has confirmed HTTPS as a ranking signal, browsers display a padlock icon that builds trust, and new web technologies like HTTP/2 and service workers require HTTPS to function.
Types of SSL Certificates
| Type | Validation Level | Ideal For | Cost |
|---|---|---|---|
| DV (Domain Validation) | Basic—proves domain ownership | Blogs, personal sites | Free (Let's Encrypt) |
| OV (Organization Validation) | Medium—verifies organization details | Small businesses | $50–$200/year |
| EV (Extended Validation) | High—rigorous organization vetting | E-commerce, financial sites | $200–$500/year |
| Wildcard | Covers subdomains (*.example.com) | Sites with many subdomains | Free (Let's Encrypt) |
For the vast majority of websites, a free DV certificate from Let's Encrypt is all you need. Let's Encrypt also offers wildcard certificates, which were previously only available as paid options.
Prerequisites
Before installing an SSL certificate, you need:
- A VPS or dedicated server running Ubuntu 22.04/24.04 or Debian 11/12 (InterServer is our recommended provider).
- A registered domain name (e.g.,
example.com). - DNS A records pointing your domain and www subdomain to your server's IP address.
- A web server (Nginx or Apache) installed and serving content on port 80.
- SSH access with sudo privileges.
Installing SSL on Nginx with Certbot
Step 1: Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
The python3-certbot-nginx package is the Nginx plugin that allows Certbot to automatically configure Nginx for SSL.
Step 2: Verify Your Domain Points to Your Server
Before requesting a certificate, confirm that your domain resolves to the correct IP address:
dig +short yourdomain.com
The output should match your server's public IP. If it does not, wait for DNS propagation to complete—this can take up to 48 hours, though usually much less.
Step 3: Obtain and Install the Certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Certbot will guide you through a short interactive setup:
- Enter your email address (for expiration reminders).
- Agree to the terms of service.
- Choose whether to share your email with the EFF.
- Select whether to redirect HTTP traffic to HTTPS (choose option 2—redirect—to force all traffic through the encrypted connection).
If everything succeeds, Certbot will display a success message and your site is now accessible via HTTPS. Test it by visiting https://yourdomain.com in your browser.
Installing SSL on Apache with Certbot
The process for Apache is nearly identical. Install the Apache-specific Certbot plugin:
sudo apt install certbot python3-certbot-apache -y
Then obtain the certificate:
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
Follow the same interactive prompts as the Nginx version. Certbot will automatically modify your Apache virtual host configuration to enable SSL and set up the HTTP-to-HTTPS redirect.
Understanding Automatic Renewal
Let's Encrypt certificates are valid for 90 days. This short lifespan is intentional—it encourages automation and limits damage if a certificate is compromised. Certbot sets up automatic renewal by default via a systemd timer.
Verify the renewal timer is active:
sudo systemctl status certbot.timer
Test the renewal process without actually renewing:
sudo certbot renew --dry-run
If the dry run succeeds, automatic renewal is properly configured. The timer checks twice daily and renews any certificate within 30 days of expiration. No further action is required.
Obtaining Wildcard Certificates
Wildcard certificates cover all subdomains of a domain (e.g., *.example.com). They require DNS-based verification, which means you must add a TXT record to your DNS configuration. Certbot supports this with the DNS challenge plugin.
sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d yourdomain.com
Certbot will display a TXT record value. Add it to your DNS provider's dashboard under the name _acme-challenge.yourdomain.com. Wait a minute or two for propagation, then press Enter to continue. If using a DNS API provider like Cloudflare, you can automate this with the appropriate DNS plugin.
Manual SSL Configuration (Non-Let's Encrypt)
If you purchased a certificate from a commercial CA, you will receive certificate files. Place them in a standard location and configure your web server manually. For Nginx:
sudo mkdir -p /etc/nginx/ssl
sudo cp yourdomain.crt /etc/nginx/ssl/
sudo cp yourdomain.key /etc/nginx/ssl/
sudo cp intermediate.crt /etc/nginx/ssl/
Add the SSL configuration to your Nginx server block:
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /etc/nginx/ssl/yourdomain.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;
ssl_trusted_certificate /etc/nginx/ssl/intermediate.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
SSL Configuration Best Practices
Enable HTTP/2
HTTP/2 is significantly faster than HTTP/1.1 and requires HTTPS. Simply add http2 to your listen directive as shown above.
Use Modern Cipher Suites
Disable outdated protocols (SSLv3, TLSv1.0, TLSv1.1) and use only TLSv1.2 and TLSv1.3. Mozilla's SSL Configuration Generator is an excellent resource for generating secure configurations for your specific server.
Enable HSTS
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your site, preventing downgrade attacks. Add this header to your server configuration:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Enable OCSP Stapling
OCSP stapling improves SSL negotiation speed by including the certificate status response with the handshake, saving the browser from making a separate request to the CA.
Verifying Your SSL Configuration
After installation, verify your configuration with these free online tools:
- SSL Labs SSL Test (ssllabs.com/ssltest): The industry standard for comprehensive SSL analysis. Aim for an "A" or "A+" grade.
- SSL Shopper Checker: A simpler tool for quick verification.
You can also check from the command line:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
This displays the certificate chain, expiration date, and negotiated cipher.
Troubleshooting Common SSL Issues
| Problem | Cause | Solution |
|---|---|---|
| Certbot fails to verify domain | DNS not pointing to server | Wait for propagation, verify with dig |
| "Connection not secure" in browser | Mixed content (HTTP assets on HTTPS page) | Update all URLs to HTTPS, use relative URLs |
| Certificate renewal fails | Port 80 blocked or web server down | Ensure Nginx/Apache is running and port 80 is open |
| SSL Labs grade below A | Outdated protocols or weak ciphers | Disable TLSv1.0/1.1, use Mozilla recommended config |
| Redirect loop after enabling HTTPS | Server behind proxy with wrong headers | Configure X-Forwarded-Proto header handling |
Set Up SSL on InterServer VPS
Full root access from $2.50/month. Install Nginx or Apache, configure free Let's Encrypt SSL, and secure your website.
Affiliate Disclosure: VPSFeedX may earn a commission when you purchase through links on this page. This does not affect the price you pay or our recommendations.
