Abdullah Sheikh

Posted on May 29

How to Get Free SSL Certificates with Let’s Encrypt in Minutes

#ssl #letsencrypt #websecurity #devops

A practical, step‑by‑step guide that lets you secure any website for free without a single line of code you can’t understand

Before We Start: What You'll Walk Away With

By the end of this guide you’ll know exactly why Let’s Encrypt is trusted by browsers worldwide—think of it as the “gold star” you get after a restaurant inspection.

You’ll be able to click through an installation wizard, copy a few commands, and confirm that HTTPS is live on Apache, Nginx, or a static‑site host—just like ordering a pizza and watching it arrive at your door.

Finally, you’ll walk away with a one‑page cheat‑sheet you can reuse for any new domain, so you never have to start from scratch again.

Understand the basic idea behind Let’s Encrypt and why it’s trusted.
Install, verify, and set up auto‑renew for a free SSL certificate on Apache, Nginx, or a static‑site host.
Grab a cheat‑sheet that lets you repeat the process for any future domain.
Why it matters: Browsers treat Let’s Encrypt certificates as fully valid, so visitors won’t see warning signs.
What you need: Access to your server’s command line or a control panel that supports custom scripts.
What you’ll avoid: Expired certificates and the headache of manual renewals.

Keep this list handy; it’s the roadmap you’ll follow step by step.

What Let’s Encrypt Actually Is (No Jargon)

Let’s Encrypt is a nonprofit Certificate Authority that hands out domain‑validated SSL certificates for free. It talks to your server through an automated protocol called ACME, so you never have to call a support desk or fill out paperwork.

Imagine a digital passport office that instantly stamps your website’s “identity” the moment you show proof you own the domain. Just as a government ID convinces a barista you’re old enough to order coffee, the let’s encrypt ssl certificate convinces browsers that your site is trustworthy, letting visitors see the padlock icon without a hitch.

The 3 Mistakes Everyone Makes With Let’s Encrypt

Here are the three blunders that turn a smooth let's encrypt ssl setup into a headache.

Forgetting to open port 80/443. The validation server can’t reach your site if those doors are closed, just like a delivery driver blocked by a locked gate. Check your firewall or cloud panel and allow inbound traffic on both ports before you start the challenge.
Using a single‑use certificate and skipping auto‑renew. It’s like ordering a fresh loaf of bread and then never buying another—your site will suddenly serve an expired cert. Enable a cron job or systemd timer that runs certbot renew twice a day so renewal happens automatically.
Running the client as root and overwriting existing configs. Imagine giving a rookie chef unrestricted access to your kitchen; they might replace a trusted recipe with something else. Use a dedicated user or the --deploy-hook option instead, and back up any config files before the client writes to them.

Fix these, and your HTTPS will stay up without a hitch.

How to Get Free SSL With Let’s Encrypt: Step‑by‑Step

Grab a cup and follow these clicks‑and‑type steps; you’ll have HTTPS up faster than ordering a coffee.

Pick a client. Certbot is the default choice, like using the standard app store instead of hunting obscure tools.

Install the client on your server. Use the package manager that matches your OS:

apt install certbot for Debian/Ubuntu
yum install certbot for CentOS/RHEL
brew install certbot for macOS
Or pull the Docker image: docker run -it --rm certbot/certbot
Make sure your domain’s DNS points to the server and that ports 80 and 443 are open. Think of DNS as the address book and the ports as the front‑door keys; both must work for visitors to get in.

Run the appropriate Certbot command for your web server. For Nginx, it looks like this:

certbot --nginx -d example.com -d www.example.com

Replace example.com with your own domain. Certbot will talk to Let’s Encrypt SSL, prove you own the site, and install the certificate automatically.

Verify the result. Open https://yourdomain.com in a browser or use an online SSL checker to confirm the lock icon appears.

Enable auto‑renewal so the cert doesn’t expire. Test the renewal process first:

certbot renew --dry-run

If the dry run succeeds, the built‑in cron job will keep the certificate fresh.

That’s it—your site now enjoys free, trusted encryption.

A Real Example: Securing a Small‑Business Blog on Nginx

Maya, who runs a charming bakery, just wants her WordPress blog to show the padlock without hunting through menus.

First she updates the package list and pulls in Certbot with Nginx support:

sudo apt update && sudo apt install certbot python3-certbot-nginx

Next she asks Certbot to fetch a certificate for both the bare domain and the www subdomain:

sudo certbot --nginx -d bakerydelights.com -d www.bakerydelights.com

Prompt 1: “Enter email?” – Maya types her business email.
Prompt 2: “Agree to Terms of Service?” – she hits Y.
Prompt 3: “Redirect HTTP to HTTPS?” – she chooses the automatic redirect, like telling a waiter to bring the soup before the salad.

Certbot now edits the server blocks in /etc/nginx/sites-available/bakerydelights.com, injects the ssl_certificate directives, reloads Nginx, and prints a success message:

Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/bakerydelights.com/fullchain.pem
Your certificate will expire on 2026-08-14.

To be sure the auto‑renew will work, Maya runs a dry‑run:

sudo certbot renew --dry-run

The command simulates a renewal, confirming the timer and Nginx reload are set.
If anything goes wrong, Certbot shows a clear error, letting Maya fix it before the real expiration.
Tip: Schedule a weekly check with systemctl status certbot.timer to verify the renewal timer is active.
Cheat sheet: sudo certbot --nginx -d example.com -d www.example.com handles the whole process for most Nginx sites.

With those few clicks and commands, Maya’s bakery blog now serves pages over HTTPS, and the padlock stays put.

The Tools That Make This Easier

Grab the right helper and the whole process feels like ordering a pizza—pick a menu, confirm the toppings, and the delivery shows up on your doorstep.

Certbot – The official let’s encrypt ssl client. It talks directly to the CA, configures Apache or Nginx, and renews automatically. Think of it as the restaurant’s “set‑it‑and‑forget‑it” menu.
acme.sh – A tiny Bash script that runs on even the smallest VPS. It’s like a pocket‑knife: you can slice, dice, and tighten certs without any heavy dependencies.
Win‑Acme – Windows‑only client with a GUI and CLI for IIS. Imagine a GPS that plots the fastest route on a Windows road map, guiding you step‑by‑step.
SSL Labs’ SSL Test – Free online scanner that grades your HTTPS setup. It’s the “Google Maps” of SSL, showing you exactly where the bumps are.
Docker Let’s Encrypt Nginx Proxy Companion – Container‑aware tool that watches your Docker services and fetches fresh certs for you. Picture it as a suitcase that automatically packs the right clothes for each trip.

Pick one that matches your environment, run the installer, and let the tool handle the heavy lifting.

With any of these, the next time you check your site you’ll see the green padlock without a second thought.

Quick Reference: Let’s Encrypt Cheat Sheet

Grab this cheat sheet and follow it like a recipe—you’ll have a valid Let’s Encrypt SSL in minutes.

🔹 Install client – Think of it as ordering a pizza: you need the right app before you can place the order. Run

apt install certbot

(or pick acme.sh if you prefer a lighter tool).

🔹 Open ports 80/443 – Like making sure the front door is unlocked for delivery. Adjust your firewall so traffic can reach the web server.

🔹 Run certbot – This is the checkout step. Execute

certbot --nginx -d yourdomain.com -d www.yourdomain.com

and let the wizard handle the rest.

🔹 Verify installation – Just as you’d double‑check a map route, visit SSL Labs and enter your domain to confirm everything is green.

🔹 Auto‑renew – Think of setting a calendar reminder so you never forget to restock. Test the renewal with

certbot renew --dry-run

. If your system doesn’t already schedule a cron job, add one that runs daily.

🔹 Common pitfalls – Closed ports are like a blocked driveway; DNS missing is like a wrong address; no auto‑renew is like forgetting to pay a subscription. Check each before you start.

Example – Maria runs a small boutique site on a VPS. After installing certbot, she opens ports, runs the command, and sets a cron entry

0 3 * * * /usr/bin/certbot renew --quiet

. Her site stays HTTPS forever without manual touch.

What to Do Next

Grab the cheat‑sheet you just built and put it somewhere everyone can see.

Wiki entry – copy the three‑step “Install → Verify → Renew” list into your team Confluence, Notion, or internal README.
One‑click link – add a hyperlink to the live https://yourdomain.com/.well-known/acme-challenge/ page so newcomers can test HTTPS instantly.
Tag it – label the page “SSL” so a quick search brings it up.

Next, set up a simple watchdog so you know before a certificate expires.

Sign up at UptimeRobot (free tier works).
Create a monitor pointing to https://yourdomain.com and choose the “HTTPS (SSL)” check.
Configure an email or Slack alert for “Down” events – think of it like a kitchen timer that pings you before the soup boils over.

Finally, if you’re comfortable with pipelines, automate renewal.

Add a step in your CI script that runs certbot renew --quiet after a successful build.
Store the renewed certificate in your artifact repository or secret manager.
Deploy the fresh files to every server – similar to packing a suitcase once and sending the same set of clothes to multiple houses.

Doing these three actions moves you from “I have HTTPS today” to “HTTPS stays alive without me lifting a finger.”

💬 Got stuck or discovered a new tip? Drop a comment below – I’d love to hear your story!

About the Author

Abdullah Sheikh is the Founder & CEO at Exteed, where he leads a team of skilled developers specializing in Web2 and Web3 applications, Custom Smart Contracts, and Blockchain solutions.

With 6+ years of experience, Abdullah has built CRMs, Crypto Wallets, DeFi Exchanges, E-Commerce Stores, HIPAA Compliant EMR Systems, and AI-powered systems that drive business efficiency and innovation.

His expertise spans Blockchain, Crypto & Tokenomics, Artificial Intelligence, and Web Applications; building reliable and smooth web apps that fit the client’s goals and requirements.

📧 info@abdullah-sheikh.com · 🔗 LinkedIn · 🌐 abdullah-sheikh.com