The Problem: You Need HTTPS, But Paid SSL Isn’t in the Budget

Every website needs HTTPS. Google Chrome flags HTTP sites as “not secure.” Search engines rank HTTPS sites higher. Your visitors expect that padlock icon.

But SSL certificates cost money—or do they?

Let’s Encrypt provides free, automated SSL certificates trusted by all major browsers. We set up hundreds of these for customers every month. Here’s how to get free HTTPS working on your VPS in under 30 minutes.

What You’ll Need

Before we start, make sure you have:

  • A domain name pointed to your server’s IP address (DNS A record configured)
  • Root or sudo access to a Linux server (Ubuntu 20.04+ or similar)
  • A web server installed (Nginx or Apache)
  • Port 80 and 443 open in your firewall
  • 5-10 minutes of your time

Recommended hosting: A Cloud VPS with 1-2 GB RAM is sufficient for most sites. Canadian Web Hosting Cloud VPS plans start with full root access, Canadian data centres (Vancouver and Toronto), and 24/7 support if you get stuck.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA) run by the Internet Security Research Group. Major sponsors include Mozilla, Google, Facebook, and Cisco.

Key facts:

  • Free: No cost for certificates, ever
  • Automated: Software handles issuance and renewal
  • Trusted: Certificates work in all major browsers
  • Short-lived: 90-day validity (automated renewal handles this)
  • Domain-validated: Proves you control the domain

For most websites, Let’s Encrypt is all you need. If you require Extended Validation (EV) certificates with company name in the browser bar, or wildcard certificates for multiple subdomains, paid SSL certificates are still the answer.

Installation: Get Certbot on Your Server

Certbot is the official Let’s Encrypt client. It automates the entire process.

Step 1: Update Your System

sudo apt update && sudo apt upgrade -y

Step 2: Install Certbot

For Nginx:

sudo apt install certbot python3-certbot-nginx -y

For Apache:

sudo apt install certbot python3-certbot-apache -y

Step 3: Verify Installation

certbot --version

You should see output like certbot 1.21.0 or newer.

Obtain Your First Certificate

Option A: Automatic (Recommended for Most Users)

The --nginx or --apache plugins automatically configure your web server:

For Nginx:

sudo certbot --nginx -d example.com -d www.example.com

For Apache:

sudo certbot --apache -d example.com -d www.example.com

Certbot will:

  1. Ask for your email address (for expiry notifications)
  2. Ask you to agree to the terms of service
  3. Optionally ask if you want to share your email with EFF
  4. Ask if you want to redirect HTTP to HTTPS (choose yes for security)

That’s it. Your site now has HTTPS.

Option B: Manual Certificate (For Advanced Configs)

If you have a custom Nginx/Apache configuration, use the certonly mode:

sudo certbot certonly --nginx -d example.com -d www.example.com

This gives you the certificate files without modifying your web server config. You’ll find them at:

  • /etc/letsencrypt/live/example.com/fullchain.pem (certificate)
  • /etc/letsencrypt/live/example.com/privkey.pem (private key)

Then manually update your web server config to point to these files.

Verify HTTPS is Working

Check Your Site in a Browser

Visit https://example.com and look for:

  • Padlock icon in the address bar
  • No “not secure” warnings

Test with SSL Labs

Go to Qualys SSL Labs and test your domain. You should get an A or A+ rating.

Verify HTTP Redirects to HTTPS

curl -I http://example.com

You should see a 301 or 302 redirect to https://example.com.

Set Up Automatic Renewal

Let’s Encrypt certificates expire every 90 days. Don’t worry—Certbot handles renewal automatically.

Step 1: Test Renewal

sudo certbot renew --dry-run

This simulates renewal without actually doing it. If you see no errors, auto-renewal is configured.

Step 2: Verify the Systemd Timer

Certbot installs a systemd timer that runs twice daily:

sudo systemctl status certbot.timer

You should see active (waiting).

Step 3: Check Renewal Schedule

sudo certbot certificates

This shows all your certificates and when they expire. For what happens when renewal fails and how to recover, see our SSL expiry recovery guide. Certbot automatically renews certificates when they have less than 30 days remaining.

Troubleshooting Common Issues

“Connection refused” or “Timeout” Errors

Cause: Your firewall is blocking port 80 or 443, or your web server isn’t running.

Fix:

# Check firewall
sudo ufw status

# Allow HTTPS if needed
sudo ufw allow 443/tcp

# Check web server status
sudo systemctl status nginx  # or apache2

“Domain not found” or DNS Errors

Cause: Your domain’s DNS A record doesn’t point to your server IP.

Fix:

# Check DNS resolution
dig example.com +short

# Should return your server's IP address

If it returns nothing or the wrong IP, update your DNS records at your domain registrar. DNS changes can take up to 48 hours to propagate (usually much faster).

“Rate Limit Exceeded”

Cause: You’ve requested too many certificates for the same domain in a short period.

Fix: Let’s Encrypt limits you to 5 certificates per domain per week. Use the staging server for testing:

sudo certbot --nginx --test-cert -d example.com

Staging certificates aren’t trusted by browsers but have much higher rate limits.

Certificate Works but Browser Shows “Mixed Content”

Cause: Your page loads some resources (images, scripts) over HTTP.

Fix: Update all resource URLs to use https:// or protocol-relative URLs //. See our guide on fixing mixed content warnings for detailed steps.

Auto-Renewal Fails

Cause: Web server not restarting after renewal, or port 80 blocked during renewal.

Fix: Certbot needs to temporarily start a standalone server on port 80 for renewal. If Nginx/Apache is using port 80, use the webroot method:

sudo certbot certonly --webroot -w /var/www/html -d example.com

Then manually reload your web server:

sudo systemctl reload nginx  # or apache2

Production Hardening

Enable HSTS (HTTP Strict Transport Security)

HSTS forces browsers to always use HTTPS for your site:

Nginx: Add to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache: Add to your VirtualHost:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Warning: Only enable HSTS after you’re confident HTTPS works everywhere. It’s hard to undo (browsers cache it for a year).

Strong Cipher Suites

Certbot configures reasonable defaults, but you can tighten them:

Nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;

OCSP Stapling

Improves SSL handshake performance:

Nginx:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;

Security Headers

Add these headers for defense-in-depth:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

When Let’s Encrypt Isn’t Enough

Let’s Encrypt is perfect for most websites, but consider paid SSL certificates when:

  • You need Extended Validation (EV): EV certificates show your company name in the browser bar (green bar in older browsers). Required for some financial and healthcare applications.
  • You need a wildcard certificate: Let’s Encrypt supports wildcards, but requires DNS validation which is more complex to set up. See our wildcard SSL certificate guide.
  • You need multi-year certificates: Let’s Encrypt caps at 90 days. If you need longer validity for compliance reasons, paid certs offer 1-2 year options.
  • You want warranty coverage: Paid certificates include warranty coverage if the CA makes an error that causes your certificate to be compromised.

Canadian Web Hosting SSL certificates include EV options, wildcards, and warranty coverage with Canadian support.

Conclusion

You now have free, trusted HTTPS on your VPS with automatic renewal. The entire setup takes less than 30 minutes and costs nothing.

Key takeaways:

  • Let’s Encrypt provides free SSL trusted by all major browsers
  • Certbot automates certificate issuance and renewal
  • Set it once, and it renews automatically every 90 days
  • Add security headers and HSTS for production-grade HTTPS
  • For EV or wildcard needs, consider paid SSL certificates

Next steps:

  • Test your SSL configuration at SSL Labs
  • Set up monitoring so you know if renewal ever fails
  • Consider Managed Support if you’d rather have our team handle SSL and server security for you

Need help? Our team sets up HTTPS for customers every day. If you hit a roadblock, contact Canadian Web Hosting support and we’ll get you sorted.