Black Friday Deals Not Found Anywhere Else! Save up to 55% OFF Hosting, Domains, Pro Services, and more.
Vodien Black Friday Sale applies to new purchase on select products and plans until 4 December 2024. Cannot be used in conjunction with other discounts, offers, or promotions.
Fileless Malware

Install Certbot on VPS: Automated SSL Step-By-Step

Install Certbot is the process of deploying the Certbot ACME client on a VPS to automatically issue, configure, and renew TLS/SSL certificates from Let’s Encrypt using HTTP-01 or DNS-01 validation.

Skip the last-minute scramble to renew certificates; let Certbot keep your site locked down while you focus on real work.

Modern users expect the padlock icon. Search engines prefer it, browsers warn without it, and any lapse can mean lost trust or revenue. Yet manually renewing TLS certificates every three months is tedious and risky. Certbot, a free and open-source ACME client for Let’s Encrypt, automates the entire flow.

Prerequisites

Before you install Certbot, make sure the groundwork is solid:

  • VPS running Ubuntu, Debian or CentOS/Alma/Rocky with root or sudo access.
  • Ports 80 and 443 open to the internet (check firewalls and any cloud security groups).
  • Your domain’s A/AAAA record already points to the server; for wildcard certs you’ll also need control of the DNS zone.
  • Nginx installed and a basic server block in place, or at least a document root you can reference.
  • Certbot is free and integrates with Let’s Encrypt, a public certificate authority 

If your server still needs hardening or Nginx tuning, handle that first, then come back here.

Install Certbot

Keeping Certbot current is critical, so use your distribution’s preferred method:

Update packages:

sudo apt update && sudo apt upgrade # Debian/Ubuntu sudo dnf update # CentOS Stream / Alma / Rocky

Install snapd if it is not present:

sudo apt install snapd # Debian/Ubuntu

sudo snap install –classic certbot sudo ln -s /snap/bin/certbot /usr/local/bin/certbot

Alternative apt install (Debian/Ubuntu LTS repos):

sudo apt install certbot python3-certbot-nginx

Use the repo version only if Snap isn’t an option; Snap typically ships newer plugins and bug fixes.

Verify:

certbot –version

Only elevate privileges when needed and never pipe unknown scripts straight to bash.

Obtain Your First Certificate

Certbot can validate ownership through HTTP-01 (web requests) or DNS-01 (TXT records). Pick the path that matches your setup.

Obtain Via Nginx Plugin

The Nginx plugin automatically edits server blocks and reloads the service:

sudo certbot –nginx -d example.com -d www.example.com

Add multiple -d flags for every Subject-Alt-Name you need. Use staging first to dodge rate limits:

sudo certbot –nginx –staging –dry-run -d example.com

Always test configuration files:

sudo nginx -t

The plugin writes temporary files, updates the Nginx block, and reloads only on success

Also ReadWhat Does Domain Ownership Mean

Obtain Using Webroot

If you manage Nginx by hand or run another HTTP server, issue the cert without touching configs:

sudo certbot certonly –webroot \ -w /var/www/html -d example.com -d www.example.com

Certbot drops challenge files under .well-known/acme-challenge; ensure that path is publicly reachable. Again, a staging dry run prevents rate-limit headaches.

DNS-01 Validation For Wildcard Certs

Wildcard certs (*.example.com) need a TXT record proving control of the zone. Run:

sudo certbot -a dns-cloudflare -i nginx \ –dns-cloudflare-credentials ~/.secrets/cloudflare.ini \ -d ‘*.example.com’ -d example.com

Replace the plugin with one suited to your DNS provider. Scripts can update the record automatically, enabling seamless renewals (Let’s Encrypt wildcard requirements

Configure Automated Renewals: Systemd Timers Vs Cron Renewals

Certbot creates a renewal task that fires twice daily and only renews certificates expiring in under 30 days

How Certbot Renewal Works

  • certbot renew checks every installed certificate.
  • Only certificates near expiry are renewed, reducing unnecessary requests.
  • Logs sit in /var/log/letsencrypt/; read them after any change.

Most modern distros use systemd, so enable the packaged timer:

sudo systemctl enable –now certbot.timer

Want custom logic? Drop a unit override with a post-success reload:

/etc/systemd/system/[email protected]

[Service] ExecStart=/usr/bin/systemctl reload nginx

Cron Renewals

Non-systemd system? A single cron entry suffices:

0 3 * * * certbot renew –quiet \ –deploy-hook “systemctl reload nginx”

Run as root or a user with write access to /etc/letsencrypt/.

Safety & Best Practice Checklist

  • Test everything with certbot renew –dry-run.
    Ensure only one renewal mechanism is active to avoid conflicts 
    Monitor logs and set up alerting for failures.
Pro Tip: Add a tiny weekly script that runs openssl x509 -enddate -noout -in /etc/letsencrypt/live/example.com/fullchain.pem and emails you if the expiry is within 14 days. It’s a belt-and-braces safeguard in case automated renewals ever stop.

Security And Operational Best Practices

Here are some proven practices to keep your SSL setup reliable, secure, and low-maintenance over time:

  1. Protect your Let’s Encrypt account key: Store it securely and back it up in an encrypted location. If you lose it, recovery and revocation become harder.
  2. Always test with the staging CA first: Use –staging for new configs, wildcard setups, or DNS plugins to avoid hitting production rate limits.
  3. Lock down private key permissions: Ensure only root (or a dedicated service account) can read /etc/letsencrypt/. World-readable keys are a security risk.
  4. Revoke and reissue immediately on compromise: If a private key leaks, revoke the certificate and generate a new one without delay.
  5. Use a single renewal mechanism: Enable either the systemd timer or cron, never both, to prevent race conditions and failed renewals.
  6. Reload services only after successful renewal: Use –deploy-hook “systemctl reload nginx” so Nginx reloads only when a new certificate is issued.
  7. Monitor expiry and renewal logs: Watch /var/log/letsencrypt/ and alert on failures or repeated retries.
Also ReadSSL Certificate Management Tools: Simplifying Security for Businesses

Install Certbot With Confidence

Automated SSL is no longer a luxury. By installing Certbot, wiring up systemd or cron renewals, using wildcard certs where they simplify life, and adding Nginx hooks for instant reloads, you’ve eliminated a prime source of downtime and distraction.

Ready to take the next step? Secure, high-performance VPS hosting with managed DNS from Vodien makes DNS-01 wildcard automation and production rollouts even easier. Check it out and keep every site you launch locked down from day one.