Let's Encrypt with Nginx — Secure HTTPS Configuration without Annual Fees
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Let's Encrypt with Nginx — Secure HTTPS Configuration without Annual Fees

[2026-07-16] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

If you run a website on Nginx, you've probably heard of Let's Encrypt. Maybe you already have a certificate installed, but you're not sure the configuration is bulletproof. Or worse, you're still paying for an SSL certificate when a free, automated solution has been around since 2016. We see it every day at Meteora Web: small businesses paying for certificates they could have for free, or — even worse — sites still on plain HTTP losing visitors and trust.

This guide is not an abstract manual. It's what we do on our clients' servers: obtain Let's Encrypt certificates, configure them on Nginx, automate renewal, and lock down security. Let's start with the real problem: a site without HTTPS today is penalized by search engines, flagged as insecure by browsers, and vulnerable to interception. And the solution costs nothing but a bit of technical know-how.

Why is HTTPS no longer optional for SMEs?

Google penalizes HTTP sites. Browsers show security warnings. Data in plain text can be read by anyone on the network. If you run an ecommerce store or have a contact form, you're exposing your customers and your business. At Meteora Web, we always start here: security in Italian SMEs is systematically undervalued. HTTPS is the foundation.

Sponsored Protocol

An SSL/TLS certificate encrypts the connection between browser and server. Without it, anyone on the same network (client, ISP, attacker) can read passwords, credit cards, messages. With Let's Encrypt, you get a 90-day certificate that can be automatically renewed. Zero annual fees, zero excuses.

How does Let's Encrypt compare to paid certificates?

Let's Encrypt is a free, automated, and open Certificate Authority (CA). It uses the ACME protocol to verify you control the domain. Paid certificates offer additional warranties (EV, OV) and longer validity, but for 99% of websites (ecommerce, brochure, blog) a DV (Domain Validation) certificate from Let's Encrypt is more than enough. The difference? Zero cost and full automation.

Sponsored Protocol

When a server's automatic SSL renewal broke, we fixed it and automated it without taking the client offline. It's a common issue: the default certbot config works, but it needs testing and monitoring.

What steps to obtain and install a Let's Encrypt certificate on Nginx?

Here are the actual commands we use. Prerequisites: Ubuntu/Debian server, Nginx installed, domain pointing to your server.

Install Certbot and the Nginx plugin

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Obtain the certificate

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot automatically modifies Nginx config files to enable HTTPS and redirect HTTP. If you prefer manual control, use standalone mode:

sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com

Certificates are saved in /etc/letsencrypt/live/yourdomain.com/.

Verify Nginx configuration

sudo nginx -t
sudo systemctl reload nginx

Visit your site with https:// and check the padlock.

Sponsored Protocol

How to configure Nginx for HTTPS and force redirect?

If Certbot already modified the files, you're all set. But here's a clean server block example:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

    root /var/www/yourdomain.com/html;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # Rest of configuration (PHP, static assets, etc.)
}

Important: the 301 redirect from HTTP to HTTPS is critical for SEO. Also check for mixed content — images, scripts, CSS loaded over HTTP.

Sponsored Protocol

How to automate renewal without risking downtime?

Certbot installs a systemd timer by default. Check with:

sudo systemctl list-timers | grep certbot
sudo systemctl status certbot.timer

If missing, add a cron job:

sudo crontab -e

Add the line:

0 3 * * * /usr/bin/certbot renew --quiet && /usr/bin/systemctl reload nginx

Renewal happens automatically every 90 days. The server never goes down. We always test with certbot renew --dry-run to be safe.

What security headers to add after HTTPS?

HTTPS alone is not enough. Add these security headers in your Nginx server block:

# HSTS - force HTTPS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;

# Prevent MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;

# XSS protection
add_header X-XSS-Protection "1; mode=block" always;

# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Content Security Policy (customize as needed)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Reload Nginx and test with SSL Labs to aim for an A+ rating.

Sponsored Protocol

What to do next

  1. Check your site now: visit the HTTP version and see if it redirects to HTTPS. If not, follow the steps above.
  2. Verify the certificate: click the padlock in your browser and check the expiration date. If near, run certbot renew.
  3. Test automatic renewal: sudo certbot renew --dry-run. If it fails, fix it now.
  4. Apply security headers: use an online tool to check HTTP response headers.
  5. Read our pillar guide on web security: Web Security for Developers — The Definitive Pillar Guide.

HTTPS is no longer a luxury. It's a requirement. At Meteora Web, we configure it every day for our clients, from domain to revenue. If you need help, let's talk.

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()