SSL/TLS certificates encrypt web traffic. Let's Encrypt provides free certificates with automated renewal.
Certbot Installation
apt install certbot python3-certbot-nginx # Nginx
apt install certbot python3-certbot-apache # Apache
Obtaining Certificates
Nginx
certbot --nginx -d example.com -d www.example.com
Apache
certbot --apache -d example.com -d www.example.com
Standalone (Manual)
certbot certonly --standalone -d example.com
Certificate Files
/etc/letsencrypt/live/example.com/
├── cert.pem # Certificate
├── chain.pem # Chain
├── fullchain.pem # Full chain
└── privkey.pem # Private key
Nginx SSL Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
HTTP to HTTPS Redirect
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
Auto-Renewal
# Test renewal
certbot renew --dry-run
# Manual renewal
certbot renew
# Automatic renewal (systemd timer)
systemctl enable certbot.timer
Wildcard Certificates
certbot certonly --manual --preferred-challenges dns -d *.example.com
Certificate Information
openssl x509 -in cert.pem -text -noout
certbot certificates
Best Practices
- Enable auto-renewal
- Use strong ciphers
- Redirect HTTP to HTTPS
- Monitor certificate expiration
- Test renewal process
SSL/TLS is essential for secure web communication.