SSL/TLS Certificates: Setup Guide with Let's Encrypt

SSL/TLS certificates enable encrypted HTTPS connections between browsers and servers, protecting data in transit from eavesdropping and tampering — and in 2026, there is no excuse for running a website without one.

What You’ll Learn

• What SSL/TLS is and how the handshake works
• Setting up free certificates with Let’s Encrypt and Certbot
• Configuring auto-renewal, NGINX/Apache, and wildcard certificates
• Testing your setup with SSL Labs for maximum security rating

Why SSL/TLS Matters

HTTPS is not optional. Google Chrome marks all HTTP pages as “Not Secure.” HTTPS is required for HTTP/2, service workers, geolocation APIs, and many browser features. Beyond security, HTTPS improves SEO rankings and builds user trust.

Durga Antivirus Pro enforces HTTPS for all API endpoints, using Let’s Encrypt certificates with automated renewal to ensure zero downtime.

Learning Path

    flowchart LR
  A[Reverse Proxy Basics] --> B[SSL/TLS Concepts]
  B --> C[Let's Encrypt Setup<br/>You are here]
  C --> D[Auto-Renewal]
  D --> E[Hardening & Testing]
  style C fill:#f90,color:#fff
  

What Is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between a client and server. When you visit an HTTPS site:

1. Handshake: Browser connects to server, requests certificate
2. Certificate verification: Browser checks the certificate is valid, unexpired, and signed by a trusted Certificate Authority (CA)
3. Key exchange: Client and server agree on a symmetric encryption key
4. Secure communication: All data is encrypted with that key

    sequenceDiagram
  Browser->>Server: ClientHello (supported ciphers)
  Server->>Browser: ServerHello + Certificate
  Browser->>Browser: Verify certificate
  Browser->>Server: Pre-master secret (encrypted)
  Server->>Browser: Session key established
  Browser->>Server: Encrypted HTTP request
  Server->>Browser: Encrypted HTTP response
  

Let’s Encrypt and Certbot

Let’s Encrypt is a free, automated, open Certificate Authority. Certbot is the client that interacts with Let’s Encrypt to obtain and install certificates.

# Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx  # For NGINX
# OR
sudo apt install certbot python3-certbot-apache  # For Apache

# Obtain a certificate
sudo certbot --nginx -d example.com -d www.example.com

Expected output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com and www.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem

Auto-Renewal

Let’s Encrypt certificates expire after 90 days. Certbot sets up a systemd timer or cron job automatically.

# Test renewal (dry run)
sudo certbot renew --dry-run

# Check the renewal timer
sudo systemctl status certbot.timer

# Manual renewal (if needed)
sudo certbot renew

Expected renewal test output:

Certbot failed to authenticate some domains (timed out)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- Congratulations! All certificate renewals passed: example.com

NGINX Configuration

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=63072000" always;

    root /var/www/html;
    index index.html;
}

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

Apache Configuration

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

    # Modern TLS
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder off

    Header always set Strict-Transport-Security "max-age=63072000"

    DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Wildcard Certificates

Wildcard certificates cover all subdomains (*.example.com) with one certificate:

sudo certbot certonly --manual -d *.example.com -d example.com \
  --preferred-challenges dns

Requires a DNS TXT record for domain validation. Add the record provided by Certbot, then wait for propagation:

# DNS record to add
_acme-challenge.example.com  TXT  "your-validation-token"

Verify propagation:

dig _acme-challenge.example.com TXT +short

Expected output:

"your-validation-token"

Testing with SSL Labs

After configuring SSL, test your setup:

1. Visit ssllabs.com/ssltest
2. Enter your domain
3. Wait for the test (takes 1-2 minutes)

Target: A+ rating

An A+ requires:

• TLS 1.2 and 1.3 enabled
• Strong cipher suite
• HSTS enabled with max-age of at least 180 days
• No security vulnerabilities (Heartbleed, POODLE, etc.)

# Quick check from command line
openssl s_client -connect example.com:443 -tls1_3

Expected output:

CONNECTED(00000003)
---
SSL handshake has read 1234 bytes and written 345 bytes
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Common Errors

1. Certificate Name Mismatch

The certificate covers example.com, but you’re visiting www.example.com. Add both domains when requesting the cert.

2. Renewal Fails Because Port 80 Is Blocked

Certbot validates domain ownership via port 80. Ensure your firewall allows HTTP traffic.

sudo ufw allow 80/tcp

3. Mixed Content Warnings

HTTPS page loading HTTP resources (images, scripts, API calls). Browsers block mixed content. Use relative URLs or protocol-relative URLs.

4. Wrong Certificate Path in Config

NGINX/Apache won’t start if it can’t read the certificate files. Check permissions:

sudo chmod 755 /etc/letsencrypt/live/
sudo chmod 755 /etc/letsencrypt/archive/

5. Using SHA-1 Certificates

SHA-1 is deprecated and marked as insecure. Let’s Encrypt uses SHA-256. Verify:

openssl x509 -in /path/to/cert.pem -text -noout | grep "Signature Algorithm"

6. Self-Signed Certificates in Production

Self-signed certs trigger browser warnings. Use Let’s Encrypt for production. Self-signed is fine for development only.

Practice Questions

1. What ports do HTTP and HTTPS use? HTTP: port 80. HTTPS: port 443.

2. How long do Let’s Encrypt certificates last? 90 days. Auto-renewal is configured via Certbot’s systemd timer or cron job.

3. What is a wildcard certificate? A certificate that covers all subdomains (*.example.com) with a single cert.

4. What rating should you target on SSL Labs? A+ — the highest possible rating.

5. What happens if a certificate renewal fails? After 90 days, the certificate expires and browsers show security warnings. Monitor renewal with a cron job that checks certificate expiry.

Challenge: Set up a complete HTTPS deployment: (1) obtain a Let’s Encrypt certificate with both apex and www domains, (2) configure NGINX with modern TLS, HSTS, and HTTP-to-HTTPS redirect, (3) set up auto-renewal with a test dry-run, (4) verify with SSL Labs and achieve an A+ rating.

FAQ

What’s Next

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Updated 2026-06-19.