Hosting & VPS Guides

Configuring SSL on a VPS Using Certbot

Practical guide to installing Let’s Encrypt SSL certificates on a VPS with Certbot for Apache, Nginx and HTTPS website configuration.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 10 min read Beginner

Introduction

Certbot is a popular tool for issuing and renewing free Let’s Encrypt SSL certificates on Linux servers. It can configure HTTPS for websites running on Apache or Nginx and can also help set up automatic certificate renewal.

Before using Certbot, the domain must point to your VPS, the web server must respond correctly, and ports 80 and 443 must be reachable. If DNS, firewall, virtual hosts or web server configuration are wrong, certificate issuance may fail.

Quick answer

Quick answer

To configure SSL on a VPS using Certbot, point the domain DNS to the VPS, make sure ports 80 and 443 are open, install Certbot and the correct web server plugin, run Certbot for your domain, enable HTTPS redirects if needed, test the certificate, and confirm automatic renewal works.

Configuring SSL on a VPS using Certbot

Configuring SSL on a VPS using Certbot means installing a trusted TLS certificate for your domain and configuring the web server to serve the site over HTTPS.

Certbot can:

  • request Let’s Encrypt certificates
  • validate domain ownership
  • configure Apache SSL
  • configure Nginx SSL
  • renew certificates automatically
  • install certificates for multiple hostnames
  • redirect HTTP to HTTPS
  • test renewal configuration

Certbot does not fix DNS, firewall, virtual host or website application issues automatically. Those must be correct before certificate issuance.

Before using Certbot

Before running Certbot, confirm the VPS and domain are ready.

Check:

  • domain points to the VPS IP
  • www record points correctly if used
  • web server is installed
  • website virtual host/server block exists
  • port 80 is open
  • port 443 is open
  • firewall allows HTTP and HTTPS
  • no CDN/proxy is blocking validation
  • root domain and www are both planned
  • email address is available for certificate notices

Let’s Encrypt must be able to verify that the domain reaches your server. If the domain points elsewhere, Certbot validation will fail.

DNS requirements

For normal HTTP validation, the domain must resolve to the VPS where Certbot is running.

Common records:

  • example.com A record → VPS IPv4 address
  • www.example.com CNAME → example.com
  • AAAA record only if IPv6 is configured correctly
  • no old A/AAAA records pointing to another server

If an AAAA record points to a server that is not configured for the site, Let’s Encrypt validation may fail for IPv6 users or validation paths.

Confirm DNS before running Certbot

Use DNS Lookup to verify A, AAAA and CNAME records point to your VPS before certificate issuance.

Run DNS Lookup →

Firewall requirements

Certbot HTTP validation usually requires port 80 to be reachable. HTTPS requires port 443.

Common ports:

  • 80/tcp for HTTP validation and redirects
  • 443/tcp for HTTPS traffic
UFW example
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status

Do not close port 80 completely if you rely on HTTP validation and HTTP-to-HTTPS redirects.

Install Certbot

Install Certbot and the correct plugin for your web server.

Ubuntu/Debian with Apache
sudo apt update
sudo apt install certbot python3-certbot-apache -y
Ubuntu/Debian with Nginx
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
Check Certbot version
certbot --version

Package names may vary by operating system version. Use your distribution’s current documentation if package names differ.

Using Certbot with Apache

For Apache, Certbot can detect virtual hosts and update SSL configuration.

Issue certificate for root and www
sudo certbot --apache -d example.com -d www.example.com
Test and reload Apache
sudo apache2ctl configtest
sudo systemctl reload apache2

Make sure Apache has a virtual host configured for the domain before running Certbot.

Using Certbot with Nginx

For Nginx, Certbot can detect server blocks and add SSL configuration.

Issue certificate for root and www
sudo certbot --nginx -d example.com -d www.example.com
Test and reload Nginx
sudo nginx -t
sudo systemctl reload nginx

Make sure the Nginx server_name includes the domain names you request in the certificate.

Standalone mode

Standalone mode can be used when Certbot temporarily runs its own validation server.

Standalone mode example
# Stop web server first if needed:
sudo systemctl stop nginx

# Run Certbot standalone:
sudo certbot certonly --standalone -d example.com -d www.example.com

# Start web server again:
sudo systemctl start nginx

Standalone mode requires port 80 to be free during validation. It can cause downtime if not planned carefully. For normal websites, Apache or Nginx plugins are usually easier.

HTTP to HTTPS redirects

After SSL is installed, visitors should be redirected from HTTP to HTTPS.

Good redirect
http://example.com
 301
https://example.com

Also check:

  • www to non-www or non-www to www
  • no redirect loops
  • no long redirect chains
  • canonical URL is consistent
  • application URLs use HTTPS

Do not create conflicting redirects in Apache/Nginx, CDN and WordPress at the same time without testing. Multiple redirect layers can create loops.

Automatic renewal

Let’s Encrypt certificates are short-lived, so renewal must work automatically.

Test renewal
sudo certbot renew --dry-run
View timers and certificates
systemctl list-timers | grep certbot
sudo certbot certificates

A certificate is only reliable if renewal works. Always test renewal after setup.

Why this matters

Why this matters

SSL matters because browsers, users, search engines and many integrations expect HTTPS. Without a valid certificate, visitors may see security warnings, forms may lose trust, APIs may fail and redirects may behave incorrectly.

On a VPS, SSL problems often come from DNS, firewall, web server config, wrong hostnames or failed renewal—not from Certbot itself.

How to check Certbot SSL setup

Use SSL Checker, Website Status Checker and command-line checks after installation.

  1. DNS — Confirm domain points to the VPS.
  2. Web server — Confirm Apache or Nginx serves the correct domain.
  3. Firewall — Confirm ports 80 and 443 are reachable.
  4. Certificate coverage — Check root domain and www if both are used.
  5. HTTPS response — Confirm the site loads over HTTPS.
  6. Redirects — Check HTTP to HTTPS and www/non-www behavior.
  7. Renewal — Run Certbot dry-run renewal test.
  8. Mixed content — Check whether page assets still load over HTTP.

Check your SSL certificate

Use SSL Checker to verify certificate coverage, expiry, chain and HTTPS response after Certbot setup.

Run SSL Check →

Common problems

DNS points to wrong server

High

Let’s Encrypt validates the domain on a different IP than your VPS.

Next step: Update A/AAAA records and wait for DNS propagation.

Port 80 blocked

High

Certbot HTTP validation cannot reach the server.

Next step: Open port 80 in firewall/security group.

Port 443 blocked

High

Certificate may issue, but HTTPS is not reachable.

Next step: Open port 443 and reload firewall rules.

Nginx server_name missing

Medium

Certbot cannot match the requested domain to the correct Nginx block.

Next step: Add correct server_name and test Nginx config.

Apache virtual host missing

Medium

Certbot cannot find a matching Apache site configuration.

Next step: Create or fix the Apache virtual host before running Certbot.

AAAA record points elsewhere

Medium

IPv6 DNS sends validation or visitors to the wrong server.

Next step: Fix IPv6 server config or remove the AAAA record if not used.

Redirect loop after SSL

High

Apache/Nginx, CDN or application redirects conflict.

Next step: Review redirect rules and keep one canonical HTTPS path.

Certificate does not cover www

Medium

www version shows certificate mismatch.

Next step: Issue certificate for both example.com and www.example.com.

Renewal fails

High

Certificate may expire later even if it works now.

Next step: Run certbot renew --dry-run and fix validation path.

Mixed content remains

Medium

HTTPS works, but page assets still load over HTTP.

Next step: Update website URLs, theme/plugin settings and cache.

How to configure SSL with Certbot safely

  1. Step 1: Confirm DNS points to VPS

    Check A, AAAA and CNAME records before running Certbot.

  2. Step 2: Open firewall ports

    Allow HTTP and HTTPS traffic.

  3. Step 3: Check web server config

    Confirm Apache virtual host or Nginx server block matches the domain.

  4. Step 4: Install Certbot

    Install Certbot and the correct Apache or Nginx plugin.

  5. Step 5: Issue certificate

    Run Certbot for the root domain and www if needed.

  6. Step 6: Enable HTTPS redirects

    Redirect HTTP to HTTPS and choose one canonical hostname.

  7. Step 7: Test the certificate

    Use SSL Checker and browser tests.

  8. Step 8: Test renewal

    Run certbot renew --dry-run.

  9. Step 9: Check application URLs

    Fix mixed content and update CMS/site URLs if needed.

  10. Step 10: Monitor expiry

    Monitor certificate expiration and renewal status.

Useful Certbot commands

Useful Certbot commands
Check Certbot version:
certbot --version

List certificates:
sudo certbot certificates

Issue Apache certificate:
sudo certbot --apache -d example.com -d www.example.com

Issue Nginx certificate:
sudo certbot --nginx -d example.com -d www.example.com

Renew certificates:
sudo certbot renew

Dry-run renewal:
sudo certbot renew --dry-run

Delete certificate:
sudo certbot delete

Check Apache config:
sudo apache2ctl configtest

Check Nginx config:
sudo nginx -t

Reload Apache:
sudo systemctl reload apache2

Reload Nginx:
sudo systemctl reload nginx

Commands are examples. Replace example.com with your real domain and test web server configuration before reloading.

Nginx SSL example

Certbot can automatically edit Nginx config, but a simplified HTTPS server block may look like this:

Nginx SSL example
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    root /var/www/example.com/public_html;
    index index.html index.php;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        try_files $uri $uri/ =404;
    }
}

This is a simplified example. Real Nginx config depends on PHP-FPM, app routing, CDN/proxy setup and preferred www/non-www canonical choice.

Apache SSL example

Certbot can automatically create Apache SSL configuration, but a simplified virtual host may look like this:

Apache SSL example
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com/public_html

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

This is a simplified example. Real Apache config may include PHP handling, .htaccess rules, security headers, aliases and application-specific directives.

Certbot with CDN or proxy

If your domain uses a CDN or proxy, Certbot validation may behave differently.

Check:

  • CDN points to the VPS
  • HTTP validation path reaches origin
  • proxy SSL mode is compatible
  • CDN does not block /.well-known/acme-challenge/
  • origin certificate is valid if using full strict mode
  • DNS-only mode may be needed during issuance
  • CDN cache should not interfere with validation

When using Cloudflare or similar services, make sure SSL mode and origin certificate setup are consistent. Misconfigured proxy SSL can cause redirect loops.

Renewal monitoring

Certbot usually installs a timer or cron job for renewal, but you should still monitor it.

Monitor:

  • certificate expiry date
  • certbot renewal logs
  • web server reload after renewal
  • failed renewal emails
  • DNS changes that affect validation
  • firewall changes
  • CDN/proxy changes
  • domain names added or removed

A certificate that works today can still expire later if renewal validation breaks.

Frequently asked questions

What is Certbot?

Certbot is a tool that requests and renews Let’s Encrypt SSL certificates.

Is Let’s Encrypt free?

Yes. Let’s Encrypt certificates are free, but they must renew regularly.

Does Certbot work with Apache and Nginx?

Yes. Certbot has plugins for both Apache and Nginx.

Why did Certbot validation fail?

Common causes include wrong DNS, blocked port 80, missing virtual host/server block, IPv6 mismatch or CDN/proxy interference.

Do I need SSL for www and non-www?

Yes, if both versions are accessible. Include both names in the certificate or redirect one consistently.

How often do certificates renew?

Let’s Encrypt certificates are short-lived. Certbot usually renews them automatically before expiry.

Should I close port 80 after SSL?

Usually no. Port 80 is used for HTTP-to-HTTPS redirects and often for renewal validation.

Use these free tools to verify your configuration after applying changes.

Browse all Hosting & VPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.