How to set up HTTPS with Let's Encrypt for free
ACME protocol, certificate issuance, HTTP-01 challenge, DNS-01 challenge, certbot, certificate renewal, Nginx SSL configuration
Free HTTPS with Let's Encrypt
Let's Encrypt is a free, automated CA. It issues 90-day certificates and provides certbot to automate the whole lifecycle. Here is how it works and how to set it up.
The ACME protocol
ACME (Automatic Certificate Management Environment) automates certificate issuance via domain validation challenges. Two common challenge types:
HTTP-01: Let's Encrypt asks you to serve a specific token at http://yourdomain.com/.well-known/acme-challenge/{token}. If it can fetch that token, you prove you control the domain.
DNS-01: Let's Encrypt asks you to create a DNS TXT record with a specific value. Used for wildcard certs and when port 80 is blocked.
Setup with certbot + Nginx
# Install certbot (Ubuntu)
sudo apt install certbot python3-certbot-nginx
# Obtain and install certificate automatically
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Certbot modifies your Nginx config and sets up auto-renewal
# Test renewal
sudo certbot renew --dry-run
# Verify certificate installed
curl -I https://yourdomain.com | grep -i strictAuto-renewal
Certbot installs a systemd timer or cron job that runs certbot renew twice daily. Renewal happens automatically when the cert is within 30 days of expiry. The 90-day expiry forces automation — long-lived certs are a security risk because revocation is unreliable.