If you’re on a VPS without cPanel or Enhance, SSL isn’t automatic. You need to install and renew certificates yourself. This guide covers Certbot (Let’s Encrypt) for free certs and manual installation for commercial certs.

Before You Start

SSL requires:

  • A domain name pointing to your server (A record resolving to your server’s IP)
  • Ports 80 and 443 open in your firewall
  • Nginx or Apache installed and serving your site on port 80

If your DNS isn’t set up yet, Certbot will fail. Verify first:

  dig +short yourdomain.com
# Should return your server IP

Method 1: Certbot (Let’s Encrypt)

Let’s Encrypt issues free SSL certificates. Certbot handles the entire process - obtaining, installing, and auto-renewing.

Install Certbot 

  sudo apt update
sudo apt install certbot -y

# Also install the plugin for your web server:
sudo apt install python3-certbot-nginx -y    # for Nginx
sudo apt install python3-certbot-apache -y   # for Apache
  
  sudo dnf install epel-release -y
sudo dnf install certbot -y

sudo dnf install python3-certbot-nginx -y    # for Nginx
sudo dnf install python3-certbot-apache -y   # for Apache

Get a Certificate with Nginx 

  sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot does everything:

  1. Proves you own the domain (via a challenge on port 80)
  2. Downloads the certificate
  3. Configures Nginx to use it
  4. Sets up HTTPS redirect

You’ll be asked for an email (for renewal notices) and to accept the terms.

Get a Certificate with Apache 

  sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Same flow - Certbot modifies your Apache VirtualHost automatically.

Standalone Mode (No Web Server Plugin)

If you run something other than Nginx/Apache, or want full control:

  # Stop your web server temporarily
sudo systemctl stop nginx

# Get the certificate
sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com

# Start your web server again
sudo systemctl start nginx

The certificates land in /etc/letsencrypt/live/yourdomain.com/:

FileWhat It Is
fullchain.pemYour certificate + intermediate chain
privkey.pemYour private key
cert.pemJust your certificate (rarely needed alone)
chain.pemJust the intermediate chain

Wildcard Certificates

Wildcard certs (*.yourdomain.com) require DNS validation:

  sudo certbot certonly --manual --preferred-challenges=dns -d "*.yourdomain.com" -d yourdomain.com

Certbot will ask you to create a TXT record at _acme-challenge.yourdomain.com. Add it in your DNS provider, wait a minute, then press Enter.

Auto-Renewal

Certbot sets up auto-renewal by default. Verify it:

  # Test renewal (dry run - doesn't actually renew)
sudo certbot renew --dry-run

# Check the systemd timer
sudo systemctl status certbot.timer

If the timer isn’t active:

  sudo systemctl enable --now certbot.timer

Certificates renew when they have fewer than 30 days left. You’ll get email warnings at 20 days and 10 days if renewal fails.

Method 2: Commercial SSL Certificate

If you bought an SSL certificate from a CA (DigiCert, Comodo/Sectigo, GeoTrust, etc.), here’s how to install it.

Step 1: Generate a CSR 

  # Generate private key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

You’ll be prompted for details. The important field is Common Name (CN) - enter your domain (e.g., yourdomain.com).

  # View the CSR (copy this to your certificate provider)
cat yourdomain.csr

Submit the CSR to your certificate authority. They’ll send you the signed certificate files.

Step 2: Prepare the Certificate Files

Your CA typically sends:

  • yourdomain.crt - your certificate
  • ca-bundle.crt or intermediate.crt - the CA’s chain

Combine them into a single file:

  cat yourdomain.crt ca-bundle.crt > fullchain.crt

Move everything to a secure location:

  sudo mkdir -p /etc/ssl/yourdomain.com
sudo mv fullchain.crt /etc/ssl/yourdomain.com/
sudo mv yourdomain.key /etc/ssl/yourdomain.com/
sudo chmod 600 /etc/ssl/yourdomain.com/yourdomain.key

Step 3: Configure Your Web Server

Edit your server block:

  sudo nano /etc/nginx/sites-available/yourdomain.com
  
  server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate     /etc/ssl/yourdomain.com/fullchain.crt;
    ssl_certificate_key /etc/ssl/yourdomain.com/yourdomain.key;

    # Strong SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (optional but recommended)
    add_header Strict-Transport-Security "max-age=63072000" always;

    root /var/www/yourdomain.com/public;
    index index.html;
}
  
  sudo nginx -t          # test config
sudo systemctl reload nginx

Enable SSL module and your site:

  sudo a2enmod ssl
sudo a2enmod rewrite

Edit your VirtualHost:

  sudo nano /etc/apache2/sites-available/yourdomain-ssl.conf
  
  <VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/yourdomain.com/public

    SSLEngine on
    SSLCertificateFile    /etc/ssl/yourdomain.com/fullchain.crt
    SSLCertificateKeyFile /etc/ssl/yourdomain.com/yourdomain.key

    # Strong SSL settings
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder off

    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# HTTP to HTTPS redirect
<VirtualHost *:80>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>
  
  sudo a2ensite yourdomain-ssl
sudo apachectl configtest
sudo systemctl reload apache2

Verify Your SSL Installation

After installing, check that everything is correct:

  # Quick check from your server
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null | openssl x509 -noout -dates

# Check certificate chain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer

# From your local machine
curl -vI https://yourdomain.com 2>&1 | grep -E "expire|subject|issuer"

Or use SSL Labs for a detailed report and grade.

Troubleshooting

ProblemFix
Certbot: “Could not connect to the server”DNS isn’t pointed to this server yet. Check with dig yourdomain.com.
Certbot: “Challenge failed”Port 80 is blocked. Check your firewall: sudo ufw status or sudo firewall-cmd --list-all.
Browser shows “Not Secure” after installing certYou’re loading HTTP resources on an HTTPS page (mixed content). Check browser console for blocked resources.
“Certificate chain is incomplete”You’re missing the intermediate certificate. Use fullchain.pem (Certbot) or concatenate your cert with the CA bundle.
Certificate expired despite auto-renewalCheck the Certbot timer: sudo systemctl status certbot.timer. Check logs: sudo journalctl -u certbot.
Let’s Encrypt rate limitsYou can only issue 50 certificates per domain per week. Use --staging for testing.
Multi-domain cert - “invalid domain”All domains must resolve to this server. Check each one with dig.
Permission denied on key fileKey must be readable by the web server user. Check: ls -la /etc/ssl/yourdomain.com/.

Last updated 21 Apr 2026, 08:08 +0300. history

Was this page helpful?