This page is for those setting up a site on the server themselves (SSH access required). If you just bought a VPS for software or a VPN, you most likely don’t need SSL here.
Certificate options
Universal SSL
Automatic in Cloudflare. Encrypts “browser ↔ CF”.
CF Origin CA
Free cert on the origin, 15 years. Encrypts “CF ↔ origin”.
Let's Encrypt
Public, 90 days, auto-renewal. For end-to-end and Full (Strict).
Installing Let’s Encrypt
Everything below runs over SSH asroot (the IP and password are in the server card in the bot). The server runs Ubuntu 22.04 by default.
Check the prerequisites
- The domain’s A record points to the server IP (the one in the server card in the bot). How to add it — DNS records.
- Ports 80 and 443 are open in the firewall.
- The web server (nginx or apache) is running.
Renewal
The certificate lives for 90 days. Certbot installs a system auto-renewal timer — nothing needs configuring. To check:Wildcard (*.example.com)
Only via the DNS challenge:
_acme-challenge TXT record in your domain’s DNS. Wait for the record to propagate, and only then press Enter.
Common errors
| Error | Cause | What to do |
|---|---|---|
| Timeout | Port 80 is closed | Open it in the firewall |
| Domain not found | The A record hasn’t propagated | Wait, check DNS |
| Connection refused | nginx/apache isn’t running | sudo systemctl start nginx |
| Rate limit | Too many requests | Wait. Limit: 5 failures/hour, 50 certificates/domain/week |
Where to next
Web server (Nginx)
Configure Nginx to work with the certificate.
Server hardening
The next step — close off the remaining gaps.