_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Let's Encrypt Tutorial — Automatic HTTPS Certificates

15. 08. 2025 Updated: 27. 03. 2026 1 min read intermediate

Let’s Encrypt provides free TLS certificates with automatic renewal, and there is no reason not to have HTTPS. Certificates are valid for 90 days, which motivates automating renewal and reduces the impact of potential key compromise. Let’s Encrypt issues over 400 million certificates and is trusted by all modern browsers and operating systems.

Installation and usage

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

Certbot automatically modifies the Nginx configuration — adds SSL directives, HTTP to HTTPS redirection, and sets certificate paths. For Apache, there is an equivalent python3-certbot-apache plugin. Certbot also supports standalone mode without a web server, useful for servers with non-standard configurations.

Wildcard certificate

sudo certbot certonly --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d '*.example.com' -d example.com

Wildcard certificates cover all subdomains with a single certificate. They require a DNS-01 challenge — certbot verifies domain ownership by creating a TXT DNS record. For automation, a DNS plugin is needed (Cloudflare, Route53, DigitalOcean, and others). DNS challenge is also the only option for servers not accessible from the internet.

Automatic renewal

sudo certbot renew --dry-run
# Crontab or systemd timer:
# 0 0 1 * * certbot renew --quiet --deploy-hook "systemctl reload nginx"

Certbot automatically sets up a systemd timer for renewal. The deploy hook ensures the web server reloads after certificate renewal. Verify functionality with --dry-run before production deployment. Certbot renews certificates 30 days before expiration, providing ample time to address any issues.

Testing

After deployment, verify the configuration on SSL Labs (ssllabs.com/ssltest/) — the goal is an A or A+ rating. Check that HTTP redirects to HTTPS, the HSTS header is set, and the certificate covers all required domains.

Key Takeaway

Let’s Encrypt + certbot = free HTTPS in 5 minutes. Set up automatic renewal and a deploy hook, verify on SSL Labs. For Kubernetes environments, use cert-manager instead of certbot.

securitylet's encrypthttpscertbot
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

SSL/TLS — security best practices for 2014

Heartbleed changed the rules of the game. A complete guide to SSL/TLS configuration for 2014 — cipher suites, HSTS,...

Let's Encrypt: Free SSL Certificates for Everyone

Let's Encrypt opens its public beta and offers automated, free TLS certificates. HTTPS is becoming the standard —...

SSL/TLS Configuration — Secure HTTPS

Proper TLS 1.3 configuration, cipher suites, certificates.

Let's Encrypt — free HTTPS for every website

How Let's Encrypt democratized HTTPS. Automatic free certificates for all our domains.