Free SSL with Let's Encrypt: Setting Up Automatic Renewal
Let's Encrypt is a certificate authority that provides free DV (Domain Validation) SSL/TLS certificates, aiming to make internet traffic encryption widespread. As of 2024, it is the world's largest certificate provider with over 300 million active certificates. Certificates are valid for 90 days, an
Merve Arslan
WordPress & Hosting Expert
Let's Encrypt is a certificate authority that provides free DV (Domain Validation) SSL/TLS certificates, aiming to make internet traffic encryption widespread. As of 2024, it is the world's largest certificate provider with over 300 million active certificates. Certificates are valid for 90 days, and you can ensure uninterrupted HTTPS by configuring automatic renewal with certbot.
Certbot Installation and First Certificate
# Install Certbot (Ubuntu/Debian)
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
# Automatic certificate setup with Nginx
sudo certbot --nginx -d example.com -d www.example.com
# Or standalone mode (without stopping nginx)
sudo certbot certonly --webroot -w /var/www/html \
-d example.com -d www.example.com
# Certificate files:
# /etc/letsencrypt/live/example.com/fullchain.pem
# /etc/letsencrypt/live/example.com/privkey.pemNginx SSL Configuration
# HTTP -> HTTPS redirect
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Secure TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /var/www/html;
}Automatic Renewal Configuration
Let's Encrypt certificates are valid for 90 days. Certbot's automatic renewal timer is usually activated during installation. Test the renewal process and verify the cron/systemd timer is working.
# Run renewal test (does not actually renew)
sudo certbot renew --dry-run
# Check systemd timer status
sudo systemctl status certbot.timer
# If you want to add a manual cron:
# 0 3 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx"
# View certificate information
sudo certbot certificates
# Wildcard certificate (requires DNS challenge)
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" -d example.com💡 Tip: Wildcard certificates require DNS challenge and DNS API integration for automatic renewal. Certbot plugins are available for DNS providers like Cloudflare, DigitalOcean, and Route53. Example: certbot --dns-cloudflare
For detailed information about SSL/TLS certificate types, check our SSL/TLS Certificate Types guide. For Nginx configuration, see our Nginx Reverse Proxy guide. For server security, review our Hardening Checklist. Build your infrastructure with free SSL support on Hosted Cloud cloud servers.
Frequently Asked Questions
Is a Let's Encrypt certificate as secure as paid certificates?
Yes, in terms of encryption strength, Let's Encrypt DV certificates are identical to paid DV certificates. The difference is only in the validation level. OV/EV certificates may be preferred for e-commerce sites, but encryption quality is the same.
What happens if certificate renewal fails?
Certbot attempts renewal 30 days before the certificate expires. If it fails, it retries multiple times. If the certificate expires, your site will show an HTTPS warning. Set up post-renewal notifications with deploy-hook.
What is the rate limit and how to work around it?
Let's Encrypt applies a limit of 50 certificates per domain per week. Use the --staging flag during testing for unlimited tests in the staging environment. Verify with staging before obtaining production certificates.
Can I get a single certificate for multiple domains?
Yes, with a SAN (Subject Alternative Name) certificate, you can define up to 100 domains in a single certificate. Add them using the -d parameter multiple times in Certbot: -d a.com -d b.com -d c.com
Why is the 90-day period so short?
The short period provides a security advantage: the impact duration of a compromised certificate is limited. It also encourages automatic renewal and makes certificate management automation mandatory. The duration is not an issue once automatic renewal with Certbot is set up.
Conclusion
Getting a free SSL certificate with Let's Encrypt and configuring automatic renewal takes minutes. Automate the HTTPS transition with Certbot's Nginx integration, enhance security with HSTS, and protect all your subdomains with wildcard certificates.
Secure Hosting with Free SSL
Get Let's Encrypt integration and automatic SSL renewal support with Hosted Cloud cloud servers.
Explore Cloud Server Plans →Merve Arslan
WordPress & Hosting Expert
Creating guide content on WordPress performance optimization, hosting selection, and e-commerce infrastructure.
Comments coming soon