xTom - How to Generate a Free Let’s Encrypt TLS Certificate Using Certbot on Linux

Have you ever noticed the little padlock icon next to a website’s address in your browser? It’s a small symbol, but it carries a lot of weight. It tells visitors that the connection is secure and that their information is safe. In the past, getting this level of security, known as HTTPS, often involved a complicated and sometimes expensive process.

Thankfully, that’s no longer the case. Thanks to Let's Encrypt, a non-profit Certificate Authority, anyone can get a free, trusted SSL/TLS certificate for their website. This article will walk you through why this is important and show you exactly how to get one for your own site using the powerful automation tool, Certbot.

What is an TLS Certificate?

At its core, a TLS certificate (formerly SSL) is a small data file that enables encrypted communication between a web server and a browser. When you visit a website with a valid SSL certificate (a site using https://), any data you send or receive like login credentials, contact information, or payment details is scrambled.

Think of it as sending a private letter in a sealed envelope versus sending a public postcard. The "envelope" of HTTPS ensures that no one can eavesdrop on the conversation between you and the website. Beyond security, major search engines like Google also use HTTPS as a positive ranking signal, giving secure sites a slight edge. For a more detailed explanation, check out our guide, What Is SSL, TLS, and HTTPS?.

How to generate your certificate with Certbot

The easiest way to get and install a Let's Encrypt certificate is by using a tool called Certbot. It automates the entire process, from verification to configuration and even renewal.

Prerequisites

Before you start, you'll need two things:

Server access: You need command-line access to your Linux web server. You can get a dedicated server from xTom, or a scalable KVM VPS from V.PS.
Domain name: Your domain name (e.g., example.com) must be pointing to your server's public IP address.

Step 1: Install Certbot

The Certbot team recommends installing the tool using snapd, as it guarantees you get the latest version with all the necessary dependencies.

First, install snapd if it's not already on your system.

For Ubuntu/Debian:

sudo apt update
sudo apt install snapd

For modern RHEL-based systems, like AlmaLinux or Rocky Linux, the command uses dnf, which is the successor to yum:

sudo dnf install snapd
sudo systemctl enable --now snapd.socket

Once snapd is ready, install Certbot with this command:

sudo snap install --classic certbot

Finally, create a symbolic link to ensure the certbot command can be run from anywhere:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2: Obtain and install the SSL certificate

Certbot is smart enough to detect your web server software (like Apache or Nginx) and configure it for you automatically.

For Nginx Users:

Run the following command. The --nginx flag tells Certbot to find and modify your Nginx configuration.

sudo certbot --nginx

For Apache Users:

Run this command instead. The --apache flag does the same thing for an Apache web server.

sudo certbot --apache

After running the command, Certbot will guide you through a few simple questions:

It will ask for your email address for renewal notices and security alerts.
You’ll need to agree to the Let's Encrypt Terms of Service.
It will list the domain names it found in your web server's configuration and ask you which ones you want to activate HTTPS for.

Once you’ve answered the prompts, Certbot will obtain the certificate, install it, and update your web server configuration to redirect all HTTP traffic to HTTPS. That’s it!

Step 3: Verify automatic renewal

Let's Encrypt certificates are valid for 90 days. This short lifespan is a security feature, but you don't need to worry about manually renewing it every three months. During installation, Certbot automatically set up a scheduled task that will renew your certificates before they expire.

You can perform a "dry run" to make sure the renewal process is working correctly:

sudo certbot renew --dry-run

If the dry run completes without errors, you're all set. Certbot will handle the renewals quietly in the background, keeping your site secure without any intervention.

Conclusion

Securing your website with HTTPS is a non-negotiable part of running a site today. It protects your users, builds trust, and can even give you a small boost in search rankings. Plus, with Let's Encrypt and Certbot, the process isn't only free, but also remarkably simple.

Thanks for reading! If you're interested in reliable digital infrastructure from people who know what they're doing, xTom would love to help! We provide colocation, dedicated servers, KVM VPS, IP transit, and more. Don't be afraid to reach out.

Frequently asked questions about Let's Encrypt

Is a Let's Encrypt certificate really free?

Yes, it's 100% free. Let's Encrypt is a non-profit organization with a mission to create a more secure and privacy-respecting web for everyone.

How long is a Let's Encrypt certificate valid for?

Certificates are valid for 90 days. The Certbot tool you installed is designed to automatically renew the certificate for you, typically 30 days before it expires, so you don't have to worry about it.

Can I use Let's Encrypt for a wildcard domain (e.g., *.example.com)?

Yes. Generating a wildcard certificate requires a different type of verification method called a DNS-01 challenge. This is a more advanced setup but is fully supported by Certbot.

What happens if my certificate fails to renew?

If a renewal fails, Let's Encrypt will send a notification email to the address you provided during the initial setup. The most common reasons for failure are changes to your DNS records or new firewall rules that block the verification process.

Do I need a dedicated IP for an SSL certificate?

No. Modern web servers use a technology called Server Name Indication (SNI), which allows multiple SSL certificates to be hosted on a single IP address. This is standard on nearly all hosting services today.