How to Install an SSL Certificate on a VPS

This guide explains how to install a free SSL certificate with Let's Encrypt and Certbot on your VPS, for Nginx or Apache.

Order a Server

To host your secure websites, HostMyServers offers several options:

Performance VPS - Ideal for high-traffic sites
NVMe VPS - Excellent value for money
Eco Dedicated Servers - For projects requiring more resources
Performance Dedicated Servers - Maximum performance

Prerequisites

SSH access as root or user with sudo privileges
A domain name pointing to your server's IP address (DNS A or AAAA record)
Ports 80 (HTTP) and 443 (HTTPS) open in the firewall
Nginx or Apache installed and configured
Up-to-date Debian/Ubuntu system

Installing Certbot

Recommended method: via Snap

This method ensures you have the latest version of Certbot:

sudo apt update
sudo apt install snapd -y
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Alternative method: via APT

For Nginx:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

For Apache:

sudo apt update
sudo apt install certbot python3-certbot-apache -y

Verify Web Server Configuration

Before obtaining the certificate, ensure your domain is correctly configured.

For Nginx

Verify that your server block contains the correct server_name:

sudo nano /etc/nginx/sites-available/your_domain

The file should contain:

server {
    listen 80;
    listen [::]:80;
    server_name your_domain.com www.your_domain.com;
    root /var/www/your_domain;
    index index.html index.htm index.php;

    location / {
        try_files $uri $uri/ =404;
    }
}

Test and reload the configuration:

sudo nginx -t
sudo systemctl reload nginx

For Apache

Verify your VirtualHost:

sudo nano /etc/apache2/sites-available/your_domain.conf

The file should contain:

<VirtualHost *:80>
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    DocumentRoot /var/www/your_domain

    <Directory /var/www/your_domain>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/your_domain-error.log
    CustomLog ${APACHE_LOG_DIR}/your_domain-access.log combined
</VirtualHost>

Enable the site and reload:

sudo a2ensite your_domain.conf
sudo apachectl configtest
sudo systemctl reload apache2

Obtain the SSL Certificate

With Nginx

Run Certbot with the Nginx plugin:

sudo certbot --nginx -d your_domain.com -d www.your_domain.com

Certbot will:

Verify domain ownership
Obtain the certificate
Automatically configure Nginx for HTTPS
Set up HTTP → HTTPS redirection

With Apache

Run Certbot with the Apache plugin:

sudo certbot --apache -d your_domain.com -d www.your_domain.com

Certbot will:

Verify domain ownership
Obtain the certificate
Automatically configure Apache for HTTPS
Enable the SSL module if necessary

Tip

During execution, Certbot will ask if you want to automatically redirect HTTP traffic to HTTPS. Choose yes for better security.

Manual Configuration (optional)

If you prefer to manually configure SSL, use the certonly mode:

sudo certbot certonly --webroot -w /var/www/your_domain -d your_domain.com -d www.your_domain.com

Manual Nginx Configuration

Modify your server block:

# HTTP to HTTPS redirection
server {
    listen 80;
    listen [::]:80;
    server_name your_domain.com www.your_domain.com;
    return 301 https://$host$request_uri;
}

# HTTPS configuration
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name your_domain.com www.your_domain.com;

    ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;

    # Recommended SSL parameters
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    root /var/www/your_domain;
    index index.html index.htm index.php;

    location / {
        try_files $uri $uri/ =404;
    }
}

Manual Apache Configuration

Enable the SSL module:

sudo a2enmod ssl
sudo a2enmod rewrite

Create or modify your SSL VirtualHost:

# HTTP to HTTPS redirection
<VirtualHost *:80>
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    Redirect permanent / https://your_domain.com/
</VirtualHost>

# HTTPS configuration
<VirtualHost *:443>
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    DocumentRoot /var/www/your_domain

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/your_domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your_domain.com/privkey.pem

    # Recommended SSL parameters
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder off

    <Directory /var/www/your_domain>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/your_domain-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/your_domain-ssl-access.log combined
</VirtualHost>

Reload Apache:

sudo systemctl restart apache2

Automatic Renewal

Let's Encrypt certificates are valid for 90 days. Certbot automatically configures renewal.

Verify Automatic Renewal

Test the renewal without actually running it:

sudo certbot renew --dry-run

Check the systemd Timer

sudo systemctl status certbot.timer

Force Renewal

If necessary, you can force renewal:

sudo certbot renew

Add a Reload Hook

To automatically reload the web server after renewal:

For Nginx:

sudo certbot renew --post-hook "systemctl reload nginx"

For Apache:

sudo certbot renew --post-hook "systemctl reload apache2"

Verify the Certificate

Via Browser

Access https://your_domain.com and click on the padlock in the address bar to see certificate details.

Via Command Line

sudo certbot certificates

Test SSL Configuration

Use SSL Labs to test your configuration: https://www.ssllabs.com/ssltest/analyze.html?d=your_domain.com

Advanced Security (optional)

Enable HSTS

For Nginx, add in the HTTPS server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

For Apache, add in the HTTPS VirtualHost:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Don't forget to enable the headers module for Apache:

sudo a2enmod headers
sudo systemctl restart apache2

Troubleshooting

Domain Validation Error

Verify that DNS points to your server: dig your_domain.com
Verify that ports 80 and 443 are open: sudo ufw status
Check Certbot logs: sudo tail -f /var/log/letsencrypt/letsencrypt.log

Site Not Accessible via HTTPS

Verify web server configuration
Verify that port 443 is open in the firewall
Check web server logs:
- Nginx: sudo tail -f /var/log/nginx/error.log
- Apache: sudo tail -f /var/log/apache2/error.log

Revoke a Certificate

If necessary, you can revoke a certificate:

sudo certbot revoke --cert-path /etc/letsencrypt/live/your_domain.com/cert.pem

Order a Server​

Prerequisites​

Installing Certbot​

Recommended method: via Snap​

Alternative method: via APT​

Verify Web Server Configuration​

For Nginx​

For Apache​

Obtain the SSL Certificate​

With Nginx​

With Apache​

Manual Configuration (optional)​

Manual Nginx Configuration​

Manual Apache Configuration​

Automatic Renewal​

Verify Automatic Renewal​

Check the systemd Timer​

Force Renewal​

Add a Reload Hook​

Verify the Certificate​

Via Browser​

Via Command Line​

Test SSL Configuration​

Advanced Security (optional)​

Enable HSTS​

Troubleshooting​

Domain Validation Error​

Site Not Accessible via HTTPS​

Revoke a Certificate​