Use Let’s Encrypt to Apply for a Free HTTPS Certificate for Your Website (Complete Tutorial)
📌 This article explains how to configure a free HTTPS certificate for your domain on a Linux (Ubuntu / Debian / CentOS) server, with automatic renewal.
Suitable for:
- Nginx / OpenResty
- PHP websites (e.g., forums, Flarum)
- Static sites (Hugo / Vue SPA)
- API services
1. Prerequisites
1️⃣ Must have
- A properly resolved domain name (A record pointing to your server IP)
- Server ports 80 / 443 accessible
- root or sudo privileges
2️⃣ Verify domain resolution
ping forum.happyrock.cloud
Or:
nslookup forum.happyrock.cloud
Make sure it points to your server IP.
2. Install Certbot (the certificate request tool)
Certbot is the official recommended tool from Let’s Encrypt:
Ubuntu / Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
CentOS / RHEL
sudo yum install epel-release -y
sudo yum install certbot python3-certbot-nginx -y
3. Request an HTTPS certificate (automatic mode)
Method 1: Nginx auto-configuration (recommended)
sudo certbot --nginx
After execution:
- Automatically scans Nginx domains
- Select which site to enable HTTPS for
- Automatically modifies configuration files
- Automatically requests the certificate
Method 2: Specify a domain (more controllable)
sudo certbot --nginx -d forum.happyrock.cloud
4. Manual mode (for OpenResty / high customization)
If you are using OpenResty (which is your current environment), the recommended approaches are standalone or webroot:
Option A: webroot mode (recommended for production)
sudo certbot certonly --webroot \
-w /var/www/forum/public \
-d forum.happyrock.cloud
Option B: standalone mode (temporarily occupies port 80)
sudo systemctl stop openresty
sudo certbot certonly --standalone \
-d forum.happyrock.cloud
sudo systemctl start openresty
5. Certificate file locations
After successful application, the files will be generated at:
/etc/letsencrypt/live/forum.happyrock.cloud/
Including:
fullchain.pem(certificate chain)privkey.pem(private key)
6. Configure Nginx for HTTPS
Modify the server block:
server {
listen 443 ssl http2;
server_name forum.happyrock.cloud;
ssl_certificate /etc/letsencrypt/live/forum.happyrock.cloud/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forum.happyrock.cloud/privkey.pem;
root /var/www/forum/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
}
}
7. Automatically redirect HTTP to HTTPS (strongly recommended)
Add a port 80 block:
server {
listen 80;
server_name forum.happyrock.cloud;
return 301 https://$host$request_uri;
}
8. Automatic renewal (critical step)
Let’s Encrypt certificates expire after 90 days, but they can be renewed automatically.
1️⃣ Test renewal
sudo certbot renew --dry-run
2️⃣ Add a scheduled task (system default is usually present)
Check:
systemctl list-timers | grep certbot
3️⃣ Manual cron (fallback safety)
crontab -e
Add:
0 3 * * * certbot renew --quiet
9. Common troubleshooting
❌ 1. Port 80 is occupied
lsof -i :80
Solutions:
- Stop the nginx/openresty temporary service
- Or use webroot mode
❌ 2. Domain verification fails
Check:
- Whether DNS has propagated
- Whether the firewall allows port 80
- Whether Nginx responds correctly to
/.well-known/
❌ 3. Certificate obtained but browser doesn’t trust it
Check:
- Whether Nginx/OpenResty has been restarted
- Whether the correct
server_nameis configured - Whether there are conflicting 443 configurations
10. Best practice summary (very important)
✔ Prefer webroot mode ✔ Unify 443 configuration (to avoid conflicts) ✔ Use PHP sockets, not 127.0.0.1:9000 ✔ Enable forced HTTP → HTTPS redirection ✔ Certbot automatic renewal must be verified
🚀 If you want to upgrade further
You can continue with these steps:
- 🔐 OpenResty + WAF to protect your HTTPS system
- 🚀 Unified SSL management for multiple domains
- 🧠 Automated HTTPS deployment (CI/CD)
- 🔥 Anti‑scanning + anti‑brute‑force + rate limiting
👉 “Build HTTPS + secure production architecture upgrade” – turn it into an enterprise‑grade deployment template.