SSL certificates encrypt traffic between your server and visitors. Without one, browsers display security warnings that drive visitors away. Certbot automates the installation of free Let’s Encrypt certificates and handles renewal automatically.
You will install Certbot, generate SSL certificates for your domain and configure your web server to serve traffic over HTTPS. Once complete, your site loads securely with the padlock icon visible in browsers.
Before you begin
- Certbot must be installed on your server.
- Your web server (Apache or Nginx) must be running.
- Ports 80 and 443 must be open. See our guide on opening ports in firewalld if needed.
- We recommend completing the initial server setup for Debian if this is a new server.
Generate and install SSL certificates
Certbot generates SSL certificates and automatically configures your web server to use them. This process secures your entire domain and enables HTTPS in one command.
- Run the Certbot command for your web server.
Connect to your server via SSH and run the appropriate command. For Apache, usesudo certbot --apache. For Nginx, usesudo certbot --nginx. This generates certificates and modifies your web server configuration to enable HTTPS. - Enter your email address.
Certbot will prompt you for an email address. This receives renewal reminders and important security notices about your certificates. - Agree to the terms of service.
Read and accept the Let’s Encrypt terms of service when prompted. TypeYand press Enter to continue. - Select your domain.
Certbot displays a list of domains configured in your web server. Enter the number corresponding to the domain you want to secure, or press Enter to secure all listed domains. - Enable HTTP to HTTPS redirection.
When prompted about redirection, select the option to redirect all HTTP traffic to HTTPS. This prevents visitors from accessing the unsecured version of your site. Type2and press Enter.
Certbot completes the installation and displays confirmation that your certificates are active. Your web server now serves traffic over HTTPS.
Generate certificates for specific domains
If you host multiple sites or need to specify exact domains, you can generate certificates for specific domain names. This gives you precise control over which domains receive certificates.
- Run Certbot with domain flags.
Use the-dflag to specify each domain. For Apache, runsudo certbot --apache -d example.com -d www.example.com. For Nginx, runsudo certbot --nginx -d example.com -d www.example.com. Replace example.com with your actual domain name. - Complete the prompts.
Follow the same prompts as the previous section: enter your email address, agree to the terms and enable HTTPS redirection.
Certbot generates certificates only for the domains you specified. This approach works well when managing multiple sites on one server.
Generate certificates without automatic configuration
The certonly option generates SSL certificates without modifying your web server configuration. This is useful for staging environments or when you want to configure HTTPS manually.
- Run Certbot in certificate-only mode.
For Apache, usesudo certbot certonly --apache. For Nginx, usesudo certbot certonly --nginx. This generates certificates but leaves your web server configuration unchanged. - Note the certificate location.
Certbot displays the path where your certificates are stored, typically/etc/letsencrypt/live/yourdomain.com/. You will need these paths when configuring HTTPS manually.
Your certificates are now ready to use. Configure your web server to reference these certificate files when you are ready to enable HTTPS.
Test your SSL installation
After installing certificates, verify that HTTPS works correctly and HTTP traffic redirects as expected. This confirms your site is fully secured.
- Restart your web server.
Apply the configuration changes by restarting your web server. See our guide on restarting Apache for instructions. - Visit your site using HTTPS.
Open your browser and navigate tohttps://yourdomain.com. You should see a padlock icon in the address bar, confirming the SSL certificate is active. - Test the HTTP redirect.
Try accessinghttp://yourdomain.com(without the S). Your browser should automatically redirect to the HTTPS version. This confirms the redirect is working correctly. - Run an SSL test.
Use an external testing tool like Qualys SSL Labs to verify your SSL configuration. This checks for common security issues and provides a grade for your setup.
Your SSL certificate is now active and your site loads securely over HTTPS. Certbot will automatically renew your certificates before they expire.
Wrapping up
Your site now serves traffic over HTTPS with a valid SSL certificate. You installed Certbot, generated Let’s Encrypt certificates and configured your web server to redirect HTTP traffic to HTTPS. Visitors see the padlock icon in their browser, confirming their connection is encrypted.
Certbot automatically renews certificates before they expire, so you do not need to repeat this process. Check your renewal configuration by running sudo certbot renew --dry-run to confirm automatic renewal is working. Our Debian server setup guide covers additional security hardening steps you may want to implement.
Need more power?
Get scalable resources with our VPS hosting with root access and optional software.
Get VPS Hosting
Starting something new?
Perfect for websites and small businesses unlimited bandwidth with cPanel hosting.
Get cPanel Hosting