Let's Encrypt provides free, automated TLS certificates trusted by every major browser. Combined with Certbot and Nginx, you can secure a website with HTTPS in minutes and have it renew itself automatically. Here is the full process on a typical Linux server.
Step 1: Install Certbot
Install Certbot and its Nginx plugin. On Ubuntu the recommended route is the snap package: sudo snap install --classic certbot. The Nginx plugin lets Certbot edit your server blocks automatically.
Step 2: Confirm your Nginx server block
Make sure you have a server block with the correct server_name matching the domain you want to secure, and that the domain's DNS A record points at this server. Certbot validates ownership by responding to an HTTP challenge, so port 80 must be reachable.
Step 3: Issue the certificate
Run sudo certbot --nginx -d example.com -d www.example.com. Certbot proves domain control, obtains the certificate, and offers to update your Nginx config to serve HTTPS and redirect HTTP traffic. Accept the redirect so all visitors land on the secure version.
Step 4: Verify auto-renewal
Let's Encrypt certificates last 90 days, so renewal must be automatic. Certbot installs a systemd timer or cron job by default. Test it with sudo certbot renew --dry-run to confirm renewal will succeed before the certificate actually expires.
Step 5: Harden your TLS configuration
Out of the box you are secure, but you can do better. Disable old protocols (keep TLS 1.2 and 1.3), enable HSTS, and use a strong cipher suite. Test your configuration with an external SSL analyser and aim for an A or A+ rating.
Free, automatic, trusted HTTPS removes any excuse for serving a site over plain HTTP. Issue the cert, confirm renewal works, then spend ten minutes hardening the TLS settings.
Korur Security Team
Korur Təhlükəsizlik Komandası