Introduction: Why HTTPS is Non-Negotiable
In the modern web, running a site over HTTP is no longer acceptable.
-
Security: Data sent over HTTP is plain text. Anyone on the network can steal passwords or user data.
- Advertisement - -
SEO: Google penalizes sites that do not use SSL.
-
Trust: Browsers display a scary “Not Secure” warning on HTTP sites.
The good news? You can get an enterprise-grade SSL certificate for free using Let’s Encrypt and a tool called Certbot.
Step 1: Install Certbot
Certbot acts as a client that talks to Let’s Encrypt to validate your domain and download the certificates.
For Ubuntu / Debian
sudo apt install certbot python3-certbot-nginx
For RHEL / CentOS / AlmaLinux
RHEL requires the EPEL (Extra Packages for Enterprise Linux) repository to find Certbot.
# 1. Install EPEL release
sudo dnf install epel-release
# 2. Update repositories
sudo dnf upgrade
# 3. Install Certbot and the Nginx plugin
sudo dnf install certbot python3-certbot-nginx
Step 2: Generate the Certificate
We will run Certbot with the --nginx plugin. This plugin is magic: it reads your existing Nginx config (from the previous article), validates your domain, downloads the SSL files, and automatically edits your config to use them.
Run this command:
sudo certbot --nginx
The Interactive Setup
Certbot will ask you a few questions:
-
Email: Enter a valid email (used for urgent renewal notifications).
-
Terms: Agree to the Terms of Service.
-
Select Domains: If you have multiple domains in your Nginx config, press
Enterto select all of them. -
Redirect HTTP to HTTPS:
-
Certbot will ask if you want to redirect traffic.
-
Select Option 2 (Redirect).
-
Why? This ensures that if a user types
http://example.com, they are instantly forced to the securehttps://example.com.
-
Step 3: RHEL Specific Firewall Update
If you are on Ubuntu, ufw or the Certbot plugin usually handles the firewall rules.
If you are on RHEL/CentOS, you must manually open the HTTPS port (443) in the firewall, or your secure site will be unreachable.
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Step 4: Verify Auto-Renewal
Let’s Encrypt certificates are valid for 90 days. You do not want to manually renew them every three months.
Certbot installs a system timer to check for renewals automatically. Let’s verify that the renewal process is working correctly by running a “dry run” (a simulation).
sudo certbot renew --dry-run
If you see the text: “Congratulations, all renewals succeeded,” then your system is fully automated. You never have to touch it again.
Troubleshooting Common Errors
Error: “Challenge failed for domain…”
This usually means Let’s Encrypt couldn’t reach your server.
-
Check DNS: Does your domain (e.g.,
example.com) actually point to your server’s IP address? DNS changes can take time to propagate. -
Check Firewall: Did you open Port 80? Let’s Encrypt needs Port 80 open to verify you own the server.
Error: “To fix these errors, please make sure that your domain name was entered correctly…”
-
Check Nginx Config: Open your Nginx config file and ensure the
server_nameline exactly matches the domain you are trying to register.
Final Summary
Congratulations! You have successfully setup SSL/HTTPS.
Related Guide: How to setup NGINX as Reverse Proxy