SSL & HTTPS Guides

Installing a Let's Encrypt Certificate on Your Hosting

Learn how to install a free Let’s Encrypt SSL certificate, verify domain validation, enable HTTPS and avoid common renewal problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Beginner

Introduction

Let’s Encrypt provides free SSL/TLS certificates that allow websites to load securely over HTTPS. Many hosting panels can install and renew Let’s Encrypt certificates automatically, while VPS or dedicated servers may use tools such as Certbot or hosting control panels.

A successful Let’s Encrypt setup depends on correct DNS, working domain validation, proper certificate installation and automatic renewal. If DNS points to the wrong server, HTTP validation is blocked, or renewal is not configured, HTTPS can fail later even if the first installation works.

Quick answer

Quick answer

To install Let’s Encrypt, make sure the domain points to the correct hosting server, issue the certificate through your hosting panel or Certbot, verify that HTTPS loads correctly, redirect HTTP to HTTPS, and confirm automatic renewal works before the certificate expires.

Let’s Encrypt

Let’s Encrypt is a free, automated certificate authority that issues SSL/TLS certificates for domains. These certificates allow websites to use HTTPS.

Let’s Encrypt certificates are commonly installed through:

  • Hosting control panels
  • cPanel AutoSSL
  • Plesk SSL tools
  • Certbot on VPS or dedicated servers
  • Managed WordPress hosting
  • CDN or proxy providers

Let’s Encrypt certificates are usually valid for a shorter period and should be renewed automatically.

Before installation

Before issuing the certificate, confirm

Most Let’s Encrypt failures happen because the domain does not validate correctly.

DNS points correctly

Domain points to the correct hosting server.

WWW and root DNS

WWW and non-WWW DNS records are correct.

Subdomains exist

Required subdomains exist in DNS.

Site responds publicly

Website responds publicly.

Ports reachable

Port 80 and 443 are reachable.

Firewall allows validation

No firewall blocks validation.

Domain in hosting

Hosting account includes the domain.

No SSL conflict

Old SSL configuration will not conflict.

CAA allows Let’s Encrypt

CAA records allow Let’s Encrypt if CAA is used.

Installation methods

Hosting panel

Many shared hosting providers offer a one-click SSL or AutoSSL option.

cPanel

Use SSL/TLS Status or AutoSSL to issue and renew certificates.

Plesk

Use the SSL/TLS Certificates or Let’s Encrypt extension.

VPS with Certbot

Install Certbot and issue certificates from the command line.

Managed WordPress

Use the hosting dashboard or platform SSL settings.

CDN or proxy

Some CDNs issue edge certificates separately from the origin certificate.

The exact process depends on your hosting provider, but the validation principles are the same.

If a CDN or reverse proxy sits in front of your website, HTTPS may terminate at the CDN instead of the origin server. Check the edge certificate at the CDN, origin certificate on hosting, proxy mode, HTTP-to-HTTPS redirects, validation path access and whether the CDN blocks ACME validation.

Sometimes the public visitor sees the CDN certificate, while your origin server uses a different certificate.

HTTP-01 vs DNS-01

Let’s Encrypt must verify that you control the domain before issuing a certificate.

HTTP-01 validation

  • How it works: Let’s Encrypt checks a temporary file on your website.
  • Best for: Most normal websites and hosting panels.
  • Common problem: Validation fails if the domain points elsewhere, redirects incorrectly or blocks the challenge path.

DNS-01 validation

  • How it works: You add a special DNS TXT record to prove domain control.
  • Best for: Wildcard certificates and advanced setups.
  • Common problem: Validation fails if DNS is added at the wrong provider or has not propagated.

Wildcard certificates usually require DNS-01 validation.

Hosting panel install

  1. Log in to your hosting control panel.
  2. Open SSL/TLS, AutoSSL, Let’s Encrypt or Security settings.
  3. Select the domain and needed aliases, such as www.
  4. Issue or install the certificate.
  5. Wait for validation to complete.
  6. Enable HTTPS redirect if available.
  7. Open the website over HTTPS.
  8. Run SSL Checker to confirm the certificate is active.

If the panel shows validation errors, check DNS, domain aliases, redirects and CAA records.

Certbot install

On a VPS or dedicated server, Let’s Encrypt is often installed with Certbot.

For Nginx
sudo certbot --nginx -d example.com -d www.example.com
For Apache
sudo certbot --apache -d example.com -d www.example.com
Certificate only
sudo certbot certonly -d example.com -d www.example.com
Test renewal
sudo certbot renew --dry-run

Commands vary by OS, web server and hosting setup. Do not run commands blindly on production servers without understanding the server configuration.

Why this matters

Why this matters

This matters because SSL installation is not only about getting a certificate once. The certificate must cover the right hostnames, be installed on the active server, redirect traffic correctly and renew automatically before expiry.

A Let’s Encrypt certificate that fails to renew can create browser warnings and make the site look broken overnight.

How to check SSL

Use SSL Checker after installation to confirm the public website is serving the correct certificate.

When checking Let’s Encrypt, review

These six checks help confirm installation succeeded.

Issuer

Confirm the certificate is issued by Let’s Encrypt or the expected CA.

Hostname coverage

Check root domain, www and required subdomains.

Expiry date

Confirm the certificate is valid and note renewal timing.

Certificate chain

Confirm the full chain is installed.

Active endpoint

Check whether hosting, CDN or proxy serves the certificate.

HTTPS redirect

Confirm HTTP redirects to HTTPS correctly.

Check Let’s Encrypt SSL

Use SSL Checker to verify certificate issuer, coverage, chain and expiry.

Run SSL Check →

Common problems

Domain points to wrong server

High

Let’s Encrypt validation checks the server where DNS points, not the server where you clicked install.

Next step: Fix A/AAAA/CNAME records or install SSL on the active server.

HTTP validation blocked

High

The challenge file cannot be reached because of firewall, redirects, security rules or web server configuration.

Next step: Allow the .well-known/acme-challenge path and check port 80.

WWW not included

Medium

The certificate covers example.com but not www.example.com.

Next step: Issue a certificate including both root and www, or redirect consistently.

CAA blocks issuance

High

CAA records do not allow Let’s Encrypt to issue certificates.

Next step: Update CAA to allow letsencrypt.org or remove restrictive CAA after review.

Wildcard validation fails

Medium

Wildcard certificates require DNS-01 validation, and the TXT record may be missing or added at the wrong provider.

Next step: Add the DNS TXT record at the active DNS provider and wait for propagation.

Certificate issued but not installed

High

The certificate exists, but the public server still serves an old or wrong certificate.

Next step: Install the certificate on the active server, CDN or proxy and reload services.

Auto-renewal not working

High

The certificate may expire because renewal is not scheduled or validation fails during renewal.

Next step: Test renewal and check hosting/Certbot renewal logs.

Mixed content after HTTPS works

Medium

The certificate is valid, but the page loads HTTP assets.

Next step: Update website URLs, scripts, images and stylesheets to HTTPS.

How to fix issues

  1. Step 1: Confirm DNS points correctly

    Check A, AAAA and CNAME records for root, www and subdomains.

  2. Step 2: Confirm the domain exists in hosting

    Make sure the domain or alias is added to the correct hosting account.

  3. Step 3: Check validation method

    Use HTTP-01 for normal sites or DNS-01 for wildcard certificates.

  4. Step 4: Allow validation paths

    Make sure .well-known/acme-challenge is publicly reachable.

  5. Step 5: Review CAA records

    If CAA exists, confirm Let’s Encrypt is allowed.

  6. Step 6: Install the certificate on the active endpoint

    Update hosting, server, CDN, proxy or load balancer depending on where HTTPS terminates.

  7. Step 7: Enable auto-renewal

    Confirm hosting AutoSSL or Certbot renewal is active.

  8. Step 8: Test after installation

    Use SSL Checker and browser tests to confirm HTTPS works.

Auto-renewal checklist

Confirm

Auto-renewal should be tested before the certificate is close to expiry.

Renewal enabled

Renewal is enabled in hosting panel or Certbot.

DNS unchanged

Domain still points to the same server.

HTTP path open

HTTP validation path is not blocked.

CAA allows LE

CAA still allows Let’s Encrypt.

Port 80 reachable

Port 80 remains reachable if using HTTP-01.

DNS API works

DNS API credentials work if using DNS-01.

Renewal test passes

Renewal test passes.

Monitoring in place

Alerts or monitoring exist before expiry.

Check examples

Check certificate
openssl s_client -connect example.com:443 -servername example.com
Check issuer and dates
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -dates
Check HTTP challenge path
curl -I http://example.com/.well-known/acme-challenge/test
Check HTTPS
curl -I https://example.com
Certbot renewal test
sudo certbot renew --dry-run
DNS check
dig example.com A
dig www.example.com A
dig example.com CAA

These examples are illustrative. Replace example.com with your real domain and use commands that match your server environment.

Frequently asked questions

Is Let’s Encrypt free?

Yes. Let’s Encrypt provides free SSL/TLS certificates.

How long do Let’s Encrypt certificates last?

They are short-lived and should be renewed automatically before expiry.

Can I use Let’s Encrypt on shared hosting?

Yes, if the hosting provider supports Let’s Encrypt or AutoSSL.

Do I need Certbot?

Only if you manage the server directly. Many hosting panels handle Let’s Encrypt without Certbot.

Why did Let’s Encrypt validation fail?

Common causes include wrong DNS, blocked HTTP challenge path, firewall rules, CAA restrictions or adding DNS records at the wrong provider.

Can Let’s Encrypt issue wildcard certificates?

Yes, but wildcard certificates usually require DNS-01 validation.

Why is the old certificate still showing?

The new certificate may not be installed on the active server, CDN, proxy or load balancer.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.