Use Let’s Encrypt to Apply for a Free HTTPS Certificate for Your Website (Complete Tutorial)

📌 This article explains how to configure a free HTTPS certificate for your domain on a Linux (Ubuntu / Debian / CentOS) server, with automatic renewal.

Suitable for:

  • Nginx / OpenResty
  • PHP websites (e.g., forums, Flarum)
  • Static sites (Hugo / Vue SPA)
  • API services

1. Prerequisites

1️⃣ Must have

  • A properly resolved domain name (A record pointing to your server IP)
  • Server ports 80 / 443 accessible
  • root or sudo privileges

2️⃣ Verify domain resolution

ping forum.happyrock.cloud

Or:

nslookup forum.happyrock.cloud

Make sure it points to your server IP.


2. Install Certbot (the certificate request tool)

Certbot is the official recommended tool from Let’s Encrypt:

Certbot


Ubuntu / Debian

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

CentOS / RHEL

sudo yum install epel-release -y
sudo yum install certbot python3-certbot-nginx -y

3. Request an HTTPS certificate (automatic mode)

sudo certbot --nginx

After execution:

  1. Automatically scans Nginx domains
  2. Select which site to enable HTTPS for
  3. Automatically modifies configuration files
  4. Automatically requests the certificate

Method 2: Specify a domain (more controllable)

sudo certbot --nginx -d forum.happyrock.cloud

4. Manual mode (for OpenResty / high customization)

If you are using OpenResty (which is your current environment), the recommended approaches are standalone or webroot:


sudo certbot certonly --webroot \
  -w /var/www/forum/public \
  -d forum.happyrock.cloud

Option B: standalone mode (temporarily occupies port 80)

sudo systemctl stop openresty

sudo certbot certonly --standalone \
  -d forum.happyrock.cloud

sudo systemctl start openresty

5. Certificate file locations

After successful application, the files will be generated at:

/etc/letsencrypt/live/forum.happyrock.cloud/

Including:

  • fullchain.pem (certificate chain)
  • privkey.pem (private key)

6. Configure Nginx for HTTPS

Modify the server block:

server {
    listen 443 ssl http2;
    server_name forum.happyrock.cloud;

    ssl_certificate     /etc/letsencrypt/live/forum.happyrock.cloud/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/forum.happyrock.cloud/privkey.pem;

    root /var/www/forum/public;
    index index.php;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include fastcgi.conf;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
    }
}

7. Automatically redirect HTTP to HTTPS (strongly recommended)

Add a port 80 block:

server {
    listen 80;
    server_name forum.happyrock.cloud;

    return 301 https://$host$request_uri;
}

8. Automatic renewal (critical step)

Let’s Encrypt certificates expire after 90 days, but they can be renewed automatically.

1️⃣ Test renewal

sudo certbot renew --dry-run

2️⃣ Add a scheduled task (system default is usually present)

Check:

systemctl list-timers | grep certbot

3️⃣ Manual cron (fallback safety)

crontab -e

Add:

0 3 * * * certbot renew --quiet

9. Common troubleshooting


❌ 1. Port 80 is occupied

lsof -i :80

Solutions:

  • Stop the nginx/openresty temporary service
  • Or use webroot mode

❌ 2. Domain verification fails

Check:

  • Whether DNS has propagated
  • Whether the firewall allows port 80
  • Whether Nginx responds correctly to /.well-known/

❌ 3. Certificate obtained but browser doesn’t trust it

Check:

  • Whether Nginx/OpenResty has been restarted
  • Whether the correct server_name is configured
  • Whether there are conflicting 443 configurations

10. Best practice summary (very important)

✔ Prefer webroot mode ✔ Unify 443 configuration (to avoid conflicts) ✔ Use PHP sockets, not 127.0.0.1:9000 ✔ Enable forced HTTP → HTTPS redirection ✔ Certbot automatic renewal must be verified


🚀 If you want to upgrade further

You can continue with these steps:

  • 🔐 OpenResty + WAF to protect your HTTPS system
  • 🚀 Unified SSL management for multiple domains
  • 🧠 Automated HTTPS deployment (CI/CD)
  • 🔥 Anti‑scanning + anti‑brute‑force + rate limiting

👉 “Build HTTPS + secure production architecture upgrade” – turn it into an enterprise‑grade deployment template.