SSL/TLS certificates are no longer optional - they are a requirement for every website. They encrypt data in transit, boost your SEO rankings, enable HTTP/2 performance benefits, and build user trust. Let's Encrypt provides free, automated SSL certificates, and Certbot makes the process seamless on your SakuraHost VPS.
1. Installing Certbot
Certbot is the official Let's Encrypt client. The recommended installation method uses snap, which ensures you always have the latest version.
Verify the installation with certbot --version.
2. Obtaining Your SSL Certificate
Certbot's Nginx plugin handles everything automatically - obtaining the certificate, modifying your Nginx configuration, and setting up HTTPS redirects.
You will be prompted to:
- Enter your email address for renewal notifications
- Accept the Let's Encrypt Terms of Service
- Choose whether to redirect HTTP to HTTPS (recommended: select option 2 for redirect)
Certbot will automatically verify domain ownership via HTTP-01 challenge, download the certificate, update your Nginx configuration, and reload the server.
3. Understanding What Certbot Changes
After running Certbot, your Nginx server block will include additional directives. Here is what a secured configuration looks like:
The first server block redirects all HTTP traffic to HTTPS. The second block handles encrypted HTTPS connections with the Let's Encrypt certificate files.
4. Optimizing SSL Configuration
Strengthen your SSL configuration for an A+ rating on SSL Labs by adding these settings to your server block:
After making changes, always test and reload:
5. Automatic Certificate Renewal
Let's Encrypt certificates expire every 90 days. Certbot installs a systemd timer that automatically checks for renewal twice daily.
If the dry run succeeds, your certificates will renew automatically without intervention. Certbot also reloads Nginx after renewal.
Manual Renewal
If you ever need to force a renewal:
6. Managing Multiple Domains
You can secure additional domains by running Certbot again:
Wildcard Certificates
For wildcard certificates (covering all subdomains), use DNS verification:
You will be prompted to create a DNS TXT record. This approach requires manual renewal unless you configure a DNS plugin for your provider.
7. Troubleshooting Common Issues
- "Challenge failed" error - Ensure ports 80 and 443 are open in your firewall (
sudo ufw allow 'Nginx Full') and DNS points to your server - "Too many certificates" error - Let's Encrypt limits you to 50 certificates per registered domain per week. Use the staging environment for testing:
--stagingflag - Mixed content warnings - Update all internal links, image URLs, and script references to use HTTPS or protocol-relative URLs
- Renewal failures - Check
/var/log/letsencrypt/letsencrypt.logfor detailed error messages