Let's Encrypt with Nginx
This guide explains how to install a free Let's Encrypt SSL certificate on a Linux server running Nginx using Certbot — including automatic renewal.
Prerequisites: Nginx must be installed and running. The A record of your domain must point to your server's IP. Ports 80 and 443 must be open in the firewall.
Step 1: Install Certbot
Debian / Ubuntu
CentOS / AlmaLinux / Rocky Linux
Step 2: Issue the certificate
Replace your-domain.com with your actual domain name. Add further -d parameters for multiple domains:
Certbot asks for an email address for expiry notifications and whether to redirect HTTP to HTTPS automatically. Choose 2 for the automatic redirect — this is the right choice for most websites.
Step 3: Verify the installation
Open your domain in a browser — you should see https:// and the padlock icon. For a detailed check you can use SSL Labs.
Step 4: Verify automatic renewal
Certbot automatically sets up a systemd timer or cron job during installation. Check that the timer is active:
Test the renewal process with a dry run — no real certificate is issued:
If --dry-run succeeds, automatic renewal is working correctly. No further steps needed.
Manually renew the certificate
Common error messages
| Error | Cause & fix |
|---|---|
| Connection refused on port 80 | Port 80 is blocked by the firewall. Open it in iptables or nftables. |
| DNS problem: NXDOMAIN | The domain's A record does not point to this server. Check DNS and wait for propagation if needed. |
| too many certificates already issued | Let's Encrypt allows 5 certificates per domain per week. Wait or use a staging certificate for testing. |
| nginx: configuration file test failed | Certbot modified the Nginx config incorrectly. Check with nginx -t and fix manually if needed. |