Skip to main content

VPS Create SSL certificate (Let's Encrypt) for Linux server

What is Let's Encrypt?

Let's Encrypt is a Certificate Authority (CA) that offers free SSL/TLS certificates. This way you can get a valid SSL certificate for your domain for free. The certificates can only be requested from the server the domain points to. Let's Encrypt checks the DNS of the domain which points to the current server. Then the certificate will be generated. In this tutorial we explain the setup with both Apache and Nginx web servers.


In order to generate an SSL certificate, it is essential that the DNS settings have already been set so that the domain points to the service. It is also important that a web server is installed. If not yet done, a web server of your choice must be installed. Both Apache and Nginx can be used. The services can be set up with the following commands: Apache:

sudo apt-get install apache2


sudo apt-get install nginx


If all points have been considered in the preparation, then we can start with the actual setup of Let's Encrypt. To do so, we first need the Let's Encrypt client, which we can use to generate the certificate afterwards:

sudo apt-get install git
sudo git clone /opt/letsencrypt
cd /opt/letsencrypt

Now we can generate the SSL certificate. The command for this looks like this:

sudo -H ./letsencrypt-auto certonly --standalone -d -d

For each additional domain/subdomain name a -d must be added. Instead of you add your ordered domain name to it. You will then be asked to enter a e-mail address. Press Enter to confirm your input. After that you have to confirm the terms of use:

Please read the Terms of Service at You must
agree in order to register with the ACME server at
(A)gree/(C)ancel: a

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: n

If everything is fine, then you will see a message like the following. This message means that Let's Encrypt has approved and created your certificate.

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-05-27. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

Finally, the virtual host file of the web server must be adjusted accordingly. Depending on the web server the following options have to be adjusted: Apache:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/


ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

Renew SSL certificate automatically (optional)

Furthermore, the renewal of certificates can also be automated. This prevents the certificates from expiring. You can implement this with a cronjob. Execute the command sudo crontab -e and add the following content at the end:

0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew