The Ultimate Guide to Securing Nginx with Let's Encrypt SSL (2026)

Learn how to easily protect your website and build visitor trust by installing a free, auto-renewing SSL certificate on your Nginx server.

proxmox

Why Website Security Matters

Linux

Understanding Nginx and Let's Encrypt

Nginx (pronounced "engine-x") is a powerful and incredibly fast web server used by millions of websites around the world. It is responsible for taking requests from users who type your web address into their browser, and quickly delivering the web pages back to them. Because it is so good at handling heavy traffic without slowing down or crashing, it has become the top choice for both small personal blogs and massive company websites.

An SSL (Secure Sockets Layer) certificate is like a digital lock for your website. When you add an SSL certificate to your Nginx server, it encrypts the data passing between your website and your visitors. This means that if hackers try to steal sensitive information like passwords, emails, or credit card numbers, they will only see scrambled, unreadable text. Websites with SSL show a padlock icon in the browser and start with "https://" instead of "http://", which proves to visitors that your site is safe to use.

Let's Encrypt is a global, non-profit certificate authority that provides these SSL certificates to anyone at absolutely no cost. In the past, website owners had to pay yearly fees and go through a complicated manual process to get an SSL certificate. Let's Encrypt changed the internet by making security free and accessible to everyone. Best of all, their official tool (called Certbot) automatically installs and renews the certificate for you, so your website stays protected without any extra effort on your part.

Prerequisites

  • A Linux Server: A server running a modern Linux operating system (such as Ubuntu 22.04 or 24.04).
  • Admin Access: You must have root access or a user account with sudo privileges to run installation commands.
  • A Registered Domain Name: A domain (like yourwebsite.com) that is actively pointing to your server's public IP address via your DNS provider.
  • Nginx Installed: Nginx must already be installed and running, with a basic server block configured for your domain name.
  • Open Ports: Port 80 (HTTP) and Port 443 (HTTPS) must be open on your server's firewall.

Step-by-Step Installation

The official and most reliable way to install Let's Encrypt in 2026 is by using snapd. This ensures you get the most up-to-date version of Certbot and avoids the bugs found in older package managers.
1

Prepare Nginx and the Firewall

First, make sure your Nginx configuration is error-free and that your firewall allows secure traffic.
BASH 
# Test your Nginx configuration to ensure there are no syntax errors
sudo nginx -t

# Reload Nginx to apply any recent changes
sudo systemctl reload nginx

# Allow both HTTP and HTTPS traffic through the UFW firewall
sudo ufw allow 'Nginx Full'

# Verify the firewall status
sudo ufw status
2

Remove Outdated Certbot Packages

If you have an older version of Certbot installed via your operating system, remove it to prevent conflicts.
BASH 
# Remove old certbot installations via apt
sudo apt-get remove certbot -y
3

Install Certbot via Snap

Snap ensures Certbot is kept strictly up to date automatically.
BASH 
# Install the core snap and ensure it is entirely up to date
sudo snap install core
sudo snap refresh core

# Install the official Certbot package
sudo snap install --classic certbot

# Create a symbolic link so the certbot command can be run from anywhere
sudo ln -s /snap/bin/certbot /usr/bin/certbot
4

Obtain and Install the SSL Certificate

Now, run the Certbot Nginx plugin. It will read your Nginx configurations, ask you which domain to secure, and automatically update your files to enforce HTTPS.
BASH 
# Run Certbot's Nginx plugin
sudo certbot --nginx
(During this step, the terminal will ask you for an email address for security notices, ask you to agree to the terms of service, and let you select your domain name. Follow the on-screen prompts.)
5

Verify Auto-Renewal

Let’s Encrypt certificates expire every 90 days, but Certbot sets up a background timer to renew them automatically. You can test this automatic process to ensure it works.
BASH 
# Perform a dry run to simulate the renewal process and verify it works
sudo certbot renew --dry-run
If the command finishes without errors, your Nginx server is successfully secured with Let's Encrypt and will automatically renew itself in the future!

Final Thoughts

Congratulations, you have successfully secured your web server and completely automated your SSL certificate management!

  • Prepared your environment: You verified your Nginx configuration and opened your firewall to accept secure HTTPS traffic.
  • Installed modern tools: You removed outdated packages and installed the most up-to-date version of Certbot using Snap.
  • Secured your domain: You generated a free Let's Encrypt SSL certificate and automatically configured Nginx to use it.
  • Verified auto-renewal: You tested the background timer that guarantees your certificate will renew itself before the 90-day expiration mark.

With your website now fully encrypted, your visitors can browse, interact, and share information with complete confidence knowing their connection is safe.

Explore Dedicated Servers

CTCservers Recommended Tutorials

Install-ROCm

Web, Network

Step-by-Step Guide: Install AMD ROCm on Ubuntu with RX 6600 GPU

Learn how to quickly and easily set up AMD ROCm on Ubuntu for your RX 6600 GPU, enabling powerful machine learning, AI workloads, and GPU-accelerated computing right on your system.
Install LAMP

Web, Network, Linux, Mysql, Ubuntu

LAMP Setup Guide 2026: Ubuntu & Debian | CTCservers

Install a secure LAMP stack on Debian or Ubuntu. Follow our step-by-step guide to configure Linux, Apache, MySQL, and PHP for your web server.
Deploy Phi-3

Web, Network, Ubuntu

Deploy Phi-3 with Ollama on Ubuntu GPU | CTCservers

Learn how to easily deploy the Phi-3 LLM on an Ubuntu 24.04 GPU server using Ollama and WebUI. Follow our step-by-step tutorial for seamless AI hosting.

Discover CTCservers Dedicated Server Locations

CTCservers servers are available around the world, providing diverse options for hosting websites. Each region offers unique advantages, making it easier to choose a location that best suits your specific hosting needs.

Limited Time
Special Offers
Server upgrades & more.
UK Region London
15%
OFF
Asia Pacific Tokyo
10%
OFF