Let's Encrypt Certbot + Nginx SSL Setup 2026: Wildcard, HTTP/2

Last updated: April 2026 · AnomixLabs Technical Team

HTTPS is no longer an option, it's a requirement. Google has been marking HTTP sites as 'Not Secure' since 2018. With Let's Encrypt, this is free and automatic.

1. Why Let's Encrypt?

Let's Encrypt is a free, automated, and open Certificate Authority established in 2016, issuing over 3 billion active certificates annually. Supporters include Mozilla, EFF, Cisco, and Google. Compared to alternatives (Comodo, DigiCert), it offers: free certificates, 90-day validity, full automation, and DV (Domain Validation) certificates.

SSL certificate — HTTPS security and lock icon

2. Nginx and Certbot Installation

# Ubuntu 22.04 / 24.04
$ sudo apt update
$ sudo apt install nginx
$ sudo systemctl enable nginx

# Certbot — snap package (recommended, up-to-date for all OS)
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

# Verify Certbot version
$ certbot --version
# certbot 2.x.x

3. Firewall (UFW) Configuration

Before obtaining a certificate, Certbot requires the server's port 443 to be accessible externally. The default firewall on Ubuntu is UFW:

# Secure SSH access — do this FIRST!
$ sudo ufw allow ssh

# Enable UFW
$ sudo ufw enable

# Add Nginx profile for HTTP (80) + HTTPS (443)
$ sudo ufw allow 'Nginx Full'

# No longer need the HTTP-only rule
$ sudo ufw delete allow 'Nginx HTTP'

# Verify status
$ sudo ufw status

Expected output:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Critical warning: Always run allow ssh before executing ufw enable. Otherwise, your current SSH session will be terminated, and you will lose access to your server. You won't forget this after experiencing it once.

4. Obtaining an SSL Certificate: Nginx Plugin

# Get certificate and update Nginx configuration in one command
$ sudo certbot --nginx -d orneksite.com -d www.orneksite.com

# Successful output:
# Successfully received certificate.
# Certificate is saved at: /etc/letsencrypt/live/orneksite.com/fullchain.pem
# Key is saved at: /etc/letsencrypt/live/orneksite.com/privkey.pem
# This certificate expires on 2026-07-15

5. Nginx Configuration (Post-Certbot)

server {
    listen 80;
    server_name orneksite.com www.orneksite.com;
    return 301 https://$host$request_uri;  # HTTP → HTTPS redirect
}

server {
    listen 443 ssl http2;
    server_name orneksite.com www.orneksite.com;

    ssl_certificate /etc/letsencrypt/live/orneksite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/orneksite.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;

    # HSTS
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }
}

6. Automatic Renewal

Let's Encrypt certificates are valid for 90 days. The Certbot snap package sets up an automatic timer during installation. Manual verification:

# Check remaining validity
$ sudo certbot certificates

# Simulate renewal (does not actually renew)
$ sudo certbot renew --dry-run

# Check systemd timer
$ sudo systemctl status snap.certbot.renew.timer

# Manual renewal (if necessary)
$ sudo certbot renew --force-renewal

7. Wildcard Certificate (DNS Challenge)

For a certificate covering all subdomains like *.orneksite.com, the DNS-01 challenge is required. This involves adding a TXT record with your domain provider:

# Wildcard — for all subdomains
$ sudo certbot certonly --manual \
    --preferred-challenges dns \
    -d orneksite.com \
    -d '*.orneksite.com'

# You will be prompted to add a DNS TXT record:
# _acme-challenge.orneksite.com → [provided value]

# Automatic for Cloudflare users:
$ pip install certbot-dns-cloudflare
$ certbot certonly --dns-cloudflare --dns-cloudflare-credentials creds.ini \
    -d orneksite.com -d '*.orneksite.com'

8. Cloudflare Flexible SSL Danger

Warning: Do not use Cloudflare's 'Flexible SSL' mode. In this mode, the connection between your browser and Cloudflare is HTTPS, but the connection between Cloudflare and your server is HTTP. Your server cannot achieve an SSL Labs A+ score without a Let's Encrypt certificate, and user data is not encrypted on the last mile. Always use 'Full (strict)' mode.

9. Django settings.py HTTPS Security Settings

# In production environment (DEBUG=False)
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_REFERRER_POLICY = 'same-origin'
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'

10. Let's Encrypt Rate Limits

Caution: Let's Encrypt enforces a limit of 5 certificates per domain per week. To avoid hitting this limit during testing, use the staging environment:

# Staging (test) environment — no real rate limits
$ sudo certbot --nginx --staging -d test.orneksite.com

# Staging certificates will trigger browser warnings but are functional

11. SSL Labs A+ Score Verification

Test your domain's SSL configuration at ssllabs.com/ssltest/. To achieve an A+ score, you need TLS 1.2 and 1.3 protocols, strong cipher suites, HSTS preload, and OCSP stapling. Certbot's default configuration meets most of these requirements.

SSL Labs A+ quality score test result

Summary

Let's Encrypt + Certbot + Nginx: free, automated, and industry-standard SSL. Achieve an A+ score in 10 minutes on Ubuntu 24.04 with snap. Complete the SECURE_* settings in Django and use Cloudflare Full Strict mode.

Frequently Questions

Why does an SSL certificate renew every 90 days? expand_more

Let's Encrypt deliberately uses short-lived certificates. This makes automation mandatory and ensures that a compromised certificate becomes invalid quickly. 90 days is below the industry standard (1 year was common historically) and is widely considered the right balance between security and operational overhead. Certbot's auto-renewal systemd timer handles this transparently.

Does SECURE_SSL_REDIRECT = True cause issues behind Nginx? expand_more

Yes. Behind Nginx, SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') is required. Without it, Django sees the request as HTTP (because Nginx terminates TLS and forwards plain HTTP to Django), triggering an infinite redirect loop. Set the Nginx proxy_set_header X-Forwarded-Proto \$scheme directive to pass the original protocol to Django.

What is the difference between a wildcard certificate and a standard certificate? expand_more

A standard certificate covers only the specified domains: example.com and www.example.com. A wildcard certificate (*.example.com) covers all subdomains (api, blog, app, staging...) with a single certificate. Wildcard issuance requires DNS-01 challenge (Certbot must update a DNS TXT record), not the simpler HTTP-01 challenge. Use wildcards when you have many subdomains that need HTTPS.

What happens if certificate renewal fails? expand_more

Certbot starts attempting renewal 30 days before expiry — multiple failures still leave a buffer. Monitor /var/log/letsencrypt/ logs. Certbot sends email notifications on renewal failure if --email was provided during initial setup. Set up a cron or systemd alert to notify you if the certificate is within 14 days of expiry as a secondary safeguard.

Can I get a certificate for an IP address? expand_more

Let's Encrypt does not issue certificates for IP addresses — only domain names. For IP-based SSL, you need a self-signed certificate or a paid certificate authority (DigiCert, etc.). In development, self-signed certificates with mkcert are the cleanest option for local HTTPS testing.

What is OCSP Stapling and why does it matter? expand_more

OCSP (Online Certificate Status Protocol) Stapling lets the server pre-verify that its certificate hasn't been revoked and serve that proof alongside the certificate. Without stapling, the browser must contact the CA's OCSP server on every TLS handshake — adding latency and a privacy concern. With stapling, the browser receives the verification directly from the server, eliminating the round-trip.

Are there free SSL alternatives to Let's Encrypt? expand_more

Cloudflare Origin Certificates (if DNS is managed on Cloudflare), ZeroSSL (same ACME protocol as Let's Encrypt), BuyPass Go SSL (Norwegian CA, 180-day validity). Cloudflare's free plan also provides edge SSL termination — your origin server can use a self-signed certificate while the Cloudflare edge serves a valid certificate to visitors.

Tags: #SSL #Let's Encrypt #Certbot #Nginx #HTTPS #Django #UFW #Wildcard #HTTP/2 #OCSP #HSTS

Share This Article

Support us by sharing this with your network.

Ali Kasımoğlu

Full-stack Developer & Founder of AnomixLabs

A software developer specializing in the Python and Django ecosystem. Focuses on modern web architectures, AI integrations, and minimalist user experiences. Under the AnomixLabs umbrella, he aims to transform complex problems into lean and effective digital solutions.

Free SSL with Let's Encrypt: Certbot + Nginx 2026 Guide

Table of Contents

Insight Density