If you run a website on Nginx, you've probably heard of Let's Encrypt. Maybe you already have a certificate installed, but you're not sure the configuration is bulletproof. Or worse, you're still paying for an SSL certificate when a free, automated solution has been around since 2016. We see it every day at Meteora Web: small businesses paying for certificates they could have for free, or — even worse — sites still on plain HTTP losing visitors and trust.
This guide is not an abstract manual. It's what we do on our clients' servers: obtain Let's Encrypt certificates, configure them on Nginx, automate renewal, and lock down security. Let's start with the real problem: a site without HTTPS today is penalized by search engines, flagged as insecure by browsers, and vulnerable to interception. And the solution costs nothing but a bit of technical know-how.
Why is HTTPS no longer optional for SMEs?
Google penalizes HTTP sites. Browsers show security warnings. Data in plain text can be read by anyone on the network. If you run an ecommerce store or have a contact form, you're exposing your customers and your business. At Meteora Web, we always start here: security in Italian SMEs is systematically undervalued. HTTPS is the foundation.
Sponsored Protocol
An SSL/TLS certificate encrypts the connection between browser and server. Without it, anyone on the same network (client, ISP, attacker) can read passwords, credit cards, messages. With Let's Encrypt, you get a 90-day certificate that can be automatically renewed. Zero annual fees, zero excuses.
How does Let's Encrypt compare to paid certificates?
Let's Encrypt is a free, automated, and open Certificate Authority (CA). It uses the ACME protocol to verify you control the domain. Paid certificates offer additional warranties (EV, OV) and longer validity, but for 99% of websites (ecommerce, brochure, blog) a DV (Domain Validation) certificate from Let's Encrypt is more than enough. The difference? Zero cost and full automation.
Sponsored Protocol
When a server's automatic SSL renewal broke, we fixed it and automated it without taking the client offline. It's a common issue: the default certbot config works, but it needs testing and monitoring.
What steps to obtain and install a Let's Encrypt certificate on Nginx?
Here are the actual commands we use. Prerequisites: Ubuntu/Debian server, Nginx installed, domain pointing to your server.
Install Certbot and the Nginx plugin
sudo apt update
sudo apt install certbot python3-certbot-nginx -yObtain the certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comCertbot automatically modifies Nginx config files to enable HTTPS and redirect HTTP. If you prefer manual control, use standalone mode:
sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.comCertificates are saved in /etc/letsencrypt/live/yourdomain.com/.
Verify Nginx configuration
sudo nginx -t
sudo systemctl reload nginxVisit your site with https:// and check the padlock.
Sponsored Protocol
How to configure Nginx for HTTPS and force redirect?
If Certbot already modified the files, you're all set. But here's a clean server block example:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
root /var/www/yourdomain.com/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Rest of configuration (PHP, static assets, etc.)
}Important: the 301 redirect from HTTP to HTTPS is critical for SEO. Also check for mixed content — images, scripts, CSS loaded over HTTP.
Sponsored Protocol
How to automate renewal without risking downtime?
Certbot installs a systemd timer by default. Check with:
sudo systemctl list-timers | grep certbot
sudo systemctl status certbot.timerIf missing, add a cron job:
sudo crontab -eAdd the line:
0 3 * * * /usr/bin/certbot renew --quiet && /usr/bin/systemctl reload nginxRenewal happens automatically every 90 days. The server never goes down. We always test with certbot renew --dry-run to be safe.
What security headers to add after HTTPS?
HTTPS alone is not enough. Add these security headers in your Nginx server block:
# HSTS - force HTTPS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# Prevent MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;
# XSS protection
add_header X-XSS-Protection "1; mode=block" always;
# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Content Security Policy (customize as needed)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;Reload Nginx and test with SSL Labs to aim for an A+ rating.
Sponsored Protocol
What to do next
- Check your site now: visit the HTTP version and see if it redirects to HTTPS. If not, follow the steps above.
- Verify the certificate: click the padlock in your browser and check the expiration date. If near, run
certbot renew. - Test automatic renewal:
sudo certbot renew --dry-run. If it fails, fix it now. - Apply security headers: use an online tool to check HTTP response headers.
- Read our pillar guide on web security: Web Security for Developers — The Definitive Pillar Guide.
HTTPS is no longer a luxury. It's a requirement. At Meteora Web, we configure it every day for our clients, from domain to revenue. If you need help, let's talk.