Installing a Let's Encrypt Certificate on Your Hosting
Learn how to install a free Let’s Encrypt SSL certificate, verify domain validation, enable HTTPS and avoid common renewal problems.
Introduction
Let’s Encrypt provides free SSL/TLS certificates that allow websites to load securely over HTTPS. Many hosting panels can install and renew Let’s Encrypt certificates automatically, while VPS or dedicated servers may use tools such as Certbot or hosting control panels.
A successful Let’s Encrypt setup depends on correct DNS, working domain validation, proper certificate installation and automatic renewal. If DNS points to the wrong server, HTTP validation is blocked, or renewal is not configured, HTTPS can fail later even if the first installation works.
Quick answer
To install Let’s Encrypt, make sure the domain points to the correct hosting server, issue the certificate through your hosting panel or Certbot, verify that HTTPS loads correctly, redirect HTTP to HTTPS, and confirm automatic renewal works before the certificate expires.
Let’s Encrypt
Let’s Encrypt is a free, automated certificate authority that issues SSL/TLS certificates for domains. These certificates allow websites to use HTTPS.
Let’s Encrypt certificates are commonly installed through:
- Hosting control panels
- cPanel AutoSSL
- Plesk SSL tools
- Certbot on VPS or dedicated servers
- Managed WordPress hosting
- CDN or proxy providers
Let’s Encrypt certificates are usually valid for a shorter period and should be renewed automatically.
Before installation
Before issuing the certificate, confirm
Most Let’s Encrypt failures happen because the domain does not validate correctly.
DNS points correctly
Domain points to the correct hosting server.
WWW and root DNS
WWW and non-WWW DNS records are correct.
Subdomains exist
Required subdomains exist in DNS.
Site responds publicly
Website responds publicly.
Ports reachable
Port 80 and 443 are reachable.
Firewall allows validation
No firewall blocks validation.
Domain in hosting
Hosting account includes the domain.
No SSL conflict
Old SSL configuration will not conflict.
CAA allows Let’s Encrypt
CAA records allow Let’s Encrypt if CAA is used.
Installation methods
Hosting panel
Many shared hosting providers offer a one-click SSL or AutoSSL option.
cPanel
Use SSL/TLS Status or AutoSSL to issue and renew certificates.
Plesk
Use the SSL/TLS Certificates or Let’s Encrypt extension.
VPS with Certbot
Install Certbot and issue certificates from the command line.
Managed WordPress
Use the hosting dashboard or platform SSL settings.
CDN or proxy
Some CDNs issue edge certificates separately from the origin certificate.
The exact process depends on your hosting provider, but the validation principles are the same.
If a CDN or reverse proxy sits in front of your website, HTTPS may terminate at the CDN instead of the origin server. Check the edge certificate at the CDN, origin certificate on hosting, proxy mode, HTTP-to-HTTPS redirects, validation path access and whether the CDN blocks ACME validation.
Sometimes the public visitor sees the CDN certificate, while your origin server uses a different certificate.
HTTP-01 vs DNS-01
Let’s Encrypt must verify that you control the domain before issuing a certificate.
HTTP-01 validation
- How it works: Let’s Encrypt checks a temporary file on your website.
- Best for: Most normal websites and hosting panels.
- Common problem: Validation fails if the domain points elsewhere, redirects incorrectly or blocks the challenge path.
DNS-01 validation
- How it works: You add a special DNS TXT record to prove domain control.
- Best for: Wildcard certificates and advanced setups.
- Common problem: Validation fails if DNS is added at the wrong provider or has not propagated.
Wildcard certificates usually require DNS-01 validation.
Hosting panel install
- Log in to your hosting control panel.
- Open SSL/TLS, AutoSSL, Let’s Encrypt or Security settings.
- Select the domain and needed aliases, such as www.
- Issue or install the certificate.
- Wait for validation to complete.
- Enable HTTPS redirect if available.
- Open the website over HTTPS.
- Run SSL Checker to confirm the certificate is active.
If the panel shows validation errors, check DNS, domain aliases, redirects and CAA records.
Certbot install
On a VPS or dedicated server, Let’s Encrypt is often installed with Certbot.
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --apache -d example.com -d www.example.com
sudo certbot certonly -d example.com -d www.example.com
sudo certbot renew --dry-run
Commands vary by OS, web server and hosting setup. Do not run commands blindly on production servers without understanding the server configuration.
Why this matters
This matters because SSL installation is not only about getting a certificate once. The certificate must cover the right hostnames, be installed on the active server, redirect traffic correctly and renew automatically before expiry.
A Let’s Encrypt certificate that fails to renew can create browser warnings and make the site look broken overnight.
How to check SSL
Use SSL Checker after installation to confirm the public website is serving the correct certificate.
When checking Let’s Encrypt, review
These six checks help confirm installation succeeded.
Issuer
Confirm the certificate is issued by Let’s Encrypt or the expected CA.
Hostname coverage
Check root domain, www and required subdomains.
Expiry date
Confirm the certificate is valid and note renewal timing.
Certificate chain
Confirm the full chain is installed.
Active endpoint
Check whether hosting, CDN or proxy serves the certificate.
HTTPS redirect
Confirm HTTP redirects to HTTPS correctly.
Check Let’s Encrypt SSL
Use SSL Checker to verify certificate issuer, coverage, chain and expiry.
Common problems
Domain points to wrong server
HighLet’s Encrypt validation checks the server where DNS points, not the server where you clicked install.
Next step: Fix A/AAAA/CNAME records or install SSL on the active server.
HTTP validation blocked
HighThe challenge file cannot be reached because of firewall, redirects, security rules or web server configuration.
Next step: Allow the .well-known/acme-challenge path and check port 80.
WWW not included
MediumThe certificate covers example.com but not www.example.com.
Next step: Issue a certificate including both root and www, or redirect consistently.
CAA blocks issuance
HighCAA records do not allow Let’s Encrypt to issue certificates.
Next step: Update CAA to allow letsencrypt.org or remove restrictive CAA after review.
Wildcard validation fails
MediumWildcard certificates require DNS-01 validation, and the TXT record may be missing or added at the wrong provider.
Next step: Add the DNS TXT record at the active DNS provider and wait for propagation.
Certificate issued but not installed
HighThe certificate exists, but the public server still serves an old or wrong certificate.
Next step: Install the certificate on the active server, CDN or proxy and reload services.
Auto-renewal not working
HighThe certificate may expire because renewal is not scheduled or validation fails during renewal.
Next step: Test renewal and check hosting/Certbot renewal logs.
Mixed content after HTTPS works
MediumThe certificate is valid, but the page loads HTTP assets.
Next step: Update website URLs, scripts, images and stylesheets to HTTPS.
How to fix issues
-
Step 1: Confirm DNS points correctly
Check A, AAAA and CNAME records for root, www and subdomains.
-
Step 2: Confirm the domain exists in hosting
Make sure the domain or alias is added to the correct hosting account.
-
Step 3: Check validation method
Use HTTP-01 for normal sites or DNS-01 for wildcard certificates.
-
Step 4: Allow validation paths
Make sure .well-known/acme-challenge is publicly reachable.
-
Step 5: Review CAA records
If CAA exists, confirm Let’s Encrypt is allowed.
-
Step 6: Install the certificate on the active endpoint
Update hosting, server, CDN, proxy or load balancer depending on where HTTPS terminates.
-
Step 7: Enable auto-renewal
Confirm hosting AutoSSL or Certbot renewal is active.
-
Step 8: Test after installation
Use SSL Checker and browser tests to confirm HTTPS works.
Auto-renewal checklist
Confirm
Auto-renewal should be tested before the certificate is close to expiry.
Renewal enabled
Renewal is enabled in hosting panel or Certbot.
DNS unchanged
Domain still points to the same server.
HTTP path open
HTTP validation path is not blocked.
CAA allows LE
CAA still allows Let’s Encrypt.
Port 80 reachable
Port 80 remains reachable if using HTTP-01.
DNS API works
DNS API credentials work if using DNS-01.
Renewal test passes
Renewal test passes.
Monitoring in place
Alerts or monitoring exist before expiry.
Check examples
openssl s_client -connect example.com:443 -servername example.com
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -dates
curl -I http://example.com/.well-known/acme-challenge/test
curl -I https://example.com
sudo certbot renew --dry-run
dig example.com A
dig www.example.com A
dig example.com CAA
These examples are illustrative. Replace example.com with your real domain and use commands that match your server environment.
Frequently asked questions
Is Let’s Encrypt free?
Yes. Let’s Encrypt provides free SSL/TLS certificates.
How long do Let’s Encrypt certificates last?
They are short-lived and should be renewed automatically before expiry.
Can I use Let’s Encrypt on shared hosting?
Yes, if the hosting provider supports Let’s Encrypt or AutoSSL.
Do I need Certbot?
Only if you manage the server directly. Many hosting panels handle Let’s Encrypt without Certbot.
Why did Let’s Encrypt validation fail?
Common causes include wrong DNS, blocked HTTP challenge path, firewall rules, CAA restrictions or adding DNS records at the wrong provider.
Can Let’s Encrypt issue wildcard certificates?
Yes, but wildcard certificates usually require DNS-01 validation.
Why is the old certificate still showing?
The new certificate may not be installed on the active server, CDN, proxy or load balancer.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!