Setting up your own TLS certificates using Let's Encrypt

In this tutorial, I'll show you how to secure your website with HTTPS by obtaining and installing free TLS certificates from Let's Encrypt. I'll walk you through the entire process step-by-step, from installing the required tools to automating certificate renewal.

Why you need HTTPS

Back in the early days of the web, HTTPS was primarily used for e-commerce sites or pages that handled sensitive information. Today, it's become the standard for all websites. Here's why:

  • It protects your users' data from being intercepted
  • It prevents ISPs from injecting ads into your site
  • It improves your site's ranking in Google search results
  • It enables modern web features like service workers and HTTP/2
  • It builds trust with your visitors (no scary "Not Secure" warnings)

Let's Encrypt has revolutionized the process of getting TLS certificates. Before Let's Encrypt, you'd have to pay a certificate authority (CA) a yearly fee, go through a complicated verification process, and manually install the certificate. Today, you can get certificates for free, and automate the entire process.

What we'll create

By the end of this tutorial, you'll have:

  1. A valid TLS certificate for your domain
  2. Automatic HTTPS redirection for your web server
  3. A renewal process that keeps your certificate up-to-date

Prerequisites

Before we start, make sure you have:

  • A domain name that you control (e.g., myawesomesite.com)
  • A server with shell access running Linux (I'll use Ubuntu 22.04 for this tutorial)
  • Admin/sudo privileges on your server
  • Nginx already installed and configured to serve your domain

Installing Certbot

Let's Encrypt provides a tool called Certbot that makes the certificate issuance process incredibly simple. First, we need to install it on our server.

sudo apt update && \
sudo apt install -y certbot

You'll also want to install the Nginx plugin for Certbot:

sudo apt install -y python3-certbot-nginx

Getting your first certificate

Now comes the exciting part – getting your first certificate! Certbot can automatically configure Nginx to use the certificate, which is super convenient.

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com with your actual domain name. If you want to secure multiple subdomains, add more -d flags as I did with the www subdomain above.

During the process, Certbot will ask for your email address (for renewal notices and security updates) and whether you agree to the terms of service. It will also ask if you want to redirect HTTP traffic to HTTPS automatically – I recommend selecting yes for this option.

If everything goes well, you should see output similar to this:

Congratulations! You have successfully enabled HTTPS on https://yourdomain.com and
https://www.yourdomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com

That's it! Your site is now secured with HTTPS. Pretty straightforward, right?

Testing your new certificate

Once your certificate is installed, you should test that everything is working correctly. Open your browser and visit your website using https:// at the beginning of the URL. You should see the padlock icon in your address bar, indicating a secure connection.

For a more thorough check, visit the SSL Labs server test that Certbot mentioned in its output: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com

This tool analyzes your server's SSL/TLS configuration and gives you a grade. Aim for an A rating.

Understanding how Certbot works

Let's take a moment to understand what happened behind the scenes when we ran Certbot:

  1. Certbot created a temporary file on your web server to prove to Let's Encrypt that you control the domain (this is called the HTTP-01 challenge)
  2. Let's Encrypt validated this proof by requesting the file
  3. Once validated, Let's Encrypt issued the certificate
  4. Certbot saved the certificate on your server and updated your web server configuration to use it
  5. Certbot also configured automatic HTTP to HTTPS redirection (if you chose this option)

The certificates issued by Let's Encrypt are valid for 90 days. This shorter validity period (compared to traditional certificates that typically last 1-2 years) enhances security by ensuring that compromised certificates have a limited lifespan.

Setting up automatic renewal

Let's Encrypt certificates are short-lived by design, so manual renewal would quickly become annoying. Thankfully, Certbot sets up a systemd timer (or a cron job on older systems) to automatically check and renew certificates that are nearing expiration.

You can verify that the automatic renewal is configured correctly by running a dry run:

sudo certbot renew --dry-run

This command simulates the renewal process without actually changing any certificates. If it runs without errors, you're all set!

The renewal checks typically run twice a day. Certificates are only renewed when they're within 30 days of expiration, so your server won't waste resources trying to renew certificates that are still valid for months.

Additional configurations

Improving your security rating

To get an A+ rating on SSL Labs, you might need to tweak your Nginx configuration a bit more. Here's an example of a secure configuration:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    
    # Strong SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    
    # Add HSTS header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    
    # Rest of your server configuration...
}

Remember to reload Nginx after making these changes:

sudo systemctl reload nginx

Securing multiple domains

If you have multiple domains or subdomains, you can secure them all with a single command:

sudo certbot --nginx -d domain1.com -d www.domain1.com -d domain2.com -d blog.domain1.com

Alternatively, you can run Certbot again for each new domain you want to secure.

Using DNS-01 challenges for wildcard certificates

If you want to secure all possible subdomains with a wildcard certificate (*.yourdomain.com), you'll need to use a different validation method called the DNS-01 challenge. This requires adding a specific TXT record to your domain's DNS configuration.

sudo certbot certonly --manual --preferred-challenges dns -d yourdomain.com -d *.yourdomain.com

Follow the prompts and add the TXT records as instructed. Note that wildcard certificates require DNS validation, and it's a bit more complex to automate the renewal process.

Troubleshooting common issues

Rate limiting

Let's Encrypt has rate limits to prevent abuse. The most important ones to be aware of are:

  • 50 certificates per registered domain per week
  • 5 duplicate certificates per week
  • 5 failed validations per account, per hostname, per hour

If you hit a rate limit, you'll need to wait before trying again. During testing, always use the --staging flag to avoid hitting production rate limits:

sudo certbot --staging --nginx -d yourdomain.com

Connection problems

If Certbot can't connect to your server to validate domain ownership, check:

  1. Firewall settings (ports 80 and 443 must be open)
  2. Web server configuration (make sure your server responds to requests for your domain)
  3. DNS configuration (ensure your domain correctly points to your server's IP)

Conclusion

Setting up HTTPS with Let's Encrypt is now easier than ever, and there's really no excuse for running an insecure website. The process is free, automated, and provides the same level of encryption as paid certificates.

I hope this tutorial has helped you secure your website. If you run into any issues or have any questions, feel free to leave a comment below.