# How to install a free SSL certificate with Certbot and Nginx

### What you will get

By the end of this tutorial, you will have:

* a free SSL certificate from Let's Encrypt
* HTTPS enabled for your website
* automatic certificate renewal

### Requirements before you start

* an active [domain](https://ititanhosting.com/) or subdomain
* an `A` or `AAAA` DNS record pointing to the server
* ports `80` and `443` open
* a working Nginx configuration

### 1. Check DNS resolution

From your local computer or the server:

```bash
nslookup example.com
```

or

```bash
dig +short example.com
```

The IP shown should match your server.

### 2. Install Certbot and the Nginx plugin

```bash
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
```

### 3. Validate the Nginx configuration

Before requesting a certificate:

```bash
sudo nginx -t
```

If Nginx reports configuration errors, fix them before continuing.

### 4. Run Certbot

Example for the root domain and `www` variant:

```bash
sudo certbot --nginx -d example.com -d www.example.com
```

Certbot will ask for:

* your email address
* acceptance of the terms
* whether to automatically redirect HTTP to HTTPS

In most cases, automatic redirect to HTTPS is the right choice.

### 5. Test HTTPS access

Open this in a browser:

```
https://example.com
```

You can also test from the shell:

```bash
curl -I https://example.com
```

### 6. Verify automatic renewal

Run a renewal simulation:

```bash
sudo certbot renew --dry-run
```

If this succeeds, automatic renewal is correctly configured.

### Where the certificates are stored

Certificate files are usually located in:

```
/etc/letsencrypt/live/example.com/
```

However, if you use the Nginx Certbot plugin, you normally do not need to reference those paths manually.

### Common issues

#### Certbot cannot validate the domain

Check that:

* DNS points to the correct IP
* port 80 is publicly reachable
* no other server or proxy is answering for that domain

#### Nginx fails after changes

Test the configuration:

```bash
sudo nginx -t
```

Then inspect logs:

```bash
sudo journalctl -u nginx --no-pager -n 50
```

### Best practices

* Use HTTPS on all public websites.
* Enable automatic redirect from HTTP to HTTPS.
* Recheck renewal after major server or DNS changes.
* If you use Cloudflare, make sure its SSL mode is configured properly to avoid loops or certificate errors.

### Conclusion

Certbot with Nginx is one of the fastest and most practical ways to secure a VPS-hosted website with a free certificate.