Skip to main content
This page is for those setting up a site on the server themselves (SSH access required). If you just bought a VPS for software or a VPN, you most likely don’t need SSL here.

Certificate options

Universal SSL

Automatic in Cloudflare. Encrypts “browser ↔ CF”.

CF Origin CA

Free cert on the origin, 15 years. Encrypts “CF ↔ origin”.

Let's Encrypt

Public, 90 days, auto-renewal. For end-to-end and Full (Strict).
Production recommendation: Cloudflare Full (Strict) + Let’s Encrypt on the origin. Encryption from the browser all the way to the server, with no gaps.

Installing Let’s Encrypt

Everything below runs over SSH as root (the IP and password are in the server card in the bot). The server runs Ubuntu 22.04 by default.
1

Check the prerequisites

  • The domain’s A record points to the server IP (the one in the server card in the bot). How to add it — DNS records.
  • Ports 80 and 443 are open in the firewall.
  • The web server (nginx or apache) is running.
2

Update the system

sudo apt-get -y update && sudo apt-get -y upgrade
3

Install certbot

sudo apt-get -y install certbot python3-certbot-nginx
For Apache — python3-certbot-apache.
4

Get the certificate

sudo certbot certonly --nginx -d example.com -d www.example.com
Path: /etc/letsencrypt/live/example.com/.

Renewal

The certificate lives for 90 days. Certbot installs a system auto-renewal timer — nothing needs configuring. To check:
sudo certbot certificates
sudo certbot renew --dry-run

Wildcard (*.example.com)

Only via the DNS challenge:
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com"
The process is interactive: certbot will ask you to create a _acme-challenge TXT record in your domain’s DNS. Wait for the record to propagate, and only then press Enter.

Common errors

ErrorCauseWhat to do
TimeoutPort 80 is closedOpen it in the firewall
Domain not foundThe A record hasn’t propagatedWait, check DNS
Connection refusednginx/apache isn’t runningsudo systemctl start nginx
Rate limitToo many requestsWait. Limit: 5 failures/hour, 50 certificates/domain/week

Where to next

Web server (Nginx)

Configure Nginx to work with the certificate.

Server hardening

The next step — close off the remaining gaps.