LightYear
/Docs
DocsSecuritySet Up SSL/TLS with Let's Encrypt

Set Up SSL/TLS with Let's Encrypt

Obtain a free SSL/TLS certificate from Let's Encrypt and configure automatic renewal.

beginner
8 min read
LightYear Docs Team
Updated April 24, 2026
ssltlslets-encryptcertbothttps
Ready to get started?

Let's Encrypt provides free, automated SSL/TLS certificates. This guide installs Certbot and obtains a certificate for your domain.

Prerequisites

  • A domain name with an A record pointing to your server's IP
  • Ports 80 and 443 open in your firewall
  • Nginx or Apache installed

Step 1 — Install Certbot

>_BASH
$apt update
$apt install -y certbot python3-certbot-nginx

Step 2 — Obtain a Certificate

>_BASH
$certbot --nginx -d example.com -d www.example.com

Follow the interactive prompts:

OUTPUT
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2026-07-24.

Certbot automatically updates your Nginx configuration to use HTTPS and redirect HTTP to HTTPS.

Step 3 — Verify the Certificate

>_BASH
$certbot certificates
OUTPUT
Found the following certs:
  Certificate Name: example.com
    Serial Number: abc123...
    Key Type: ECDSA
    Domains: example.com www.example.com
    Expiry Date: 2026-07-24 10:00:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Step 4 — Test Auto-Renewal

Certificates expire after 90 days. Certbot installs a systemd timer that renews certificates automatically:

>_BASH
$certbot renew --dry-run
OUTPUT
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)

Check the renewal timer:

>_BASH
$systemctl status certbot.timer
OUTPUT
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled)
     Active: active (waiting) since Thu 2026-04-24 10:00:00 UTC
    Trigger: Fri 2026-04-25 02:00:00 UTC; 16h left

Wildcard Certificates

For wildcard certificates (*.example.com), use DNS validation:

>_BASH
$certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com

Certbot will prompt you to add a TXT DNS record to verify domain ownership.

[!NOTE] Wildcard certificates must be renewed manually (or via a DNS plugin) since they require DNS validation. Most users do not need wildcard certificates — per-domain certificates are simpler.

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy