Why Free SSL with Let's Encrypt
Every public website needs HTTPS. Browsers flag plain HTTP pages as "Not secure," search engines favor encrypted sites, and Saudi data-protection expectations under PDPL make encrypting traffic in transit a baseline requirement. Let's Encrypt is a free, automated, non-profit certificate authority trusted by all major browsers. Paired with Certbot, the official ACME client, you can issue and renew certificates with no manual work and no cost.
This guide covers installing a certificate on Nginx (Ubuntu/Debian), verifying it, and — most importantly — configuring renewal that does not break. The renewal part matters more than ever: Let's Encrypt certificates have historically been valid for 90 days, and the industry is moving to shorter lifetimes (a 45-day profile began rolling out in 2026). Manual renewal is no longer realistic, so automation is mandatory.
If you host with Skyline Cloud on a VPS or cloud server inside the Kingdom, the steps below work unchanged on your in-Kingdom server, keeping both your data and your TLS termination on Saudi soil.
Prerequisites
- A cloud server or VPS running Ubuntu 22.04/24.04 or Debian, with
sudoaccess. - A domain (for example
example.com) with a DNS A record pointing to your server's public IP. If you manage DNS through Skyline's managed DNS, add the record there and let it propagate. - Nginx installed and serving your site on port 80.
- Ports 80 and 443 open in your firewall and any cloud security group.
Verify DNS resolves to your server before continuing:
dig +short example.com
The returned IP must match your server's public IP. Domain validation will fail otherwise.
Step 1 — Install Certbot
The recommended method is the snap package, which the EFF maintains and keeps current:
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
On distributions without snap, the APT package also works:
sudo apt update
sudo apt install certbot python3-certbot-nginx
Both approaches include the Nginx plugin used below.
Step 2 — Issue the Certificate
The Nginx plugin obtains the certificate and edits your server blocks to enable HTTPS in one step:
sudo certbot --nginx -d example.com -d www.example.com
Certbot will prompt for an email (used for expiry warnings and recovery) and ask you to agree to the ACME terms. When it asks whether to redirect HTTP to HTTPS, choose Redirect so all traffic is encrypted.
Behind the scenes, Certbot uses the HTTP-01 challenge: it places a token under /.well-known/acme-challenge/ and Let's Encrypt fetches it over port 80 to prove you control the domain.
Alternative: webroot (no Nginx edits)
If you prefer Certbot not to touch your config — common when your TLS settings are templated or managed — use the webroot method to obtain the certificate only:
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
You then reference the files yourself in your Nginx server block:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Always point Nginx at the live/ path, never the dated archive/ files — the live/ symlinks are updated on every renewal.
Step 3 — Verify HTTPS Works
Reload Nginx and open your site:
sudo nginx -t && sudo systemctl reload nginx
Visit https://example.com. You should see the padlock. Confirm the certificate and chain from the command line:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -dates
This prints the issuer (Let's Encrypt) and the validity window.
Step 4 — Set Up Auto-Renewal
This is the step that prevents 3 a.m. outages. Certbot renews based on remaining lifetime, not a fixed schedule, so it is safe — and intended — to run the renewal check frequently.
Most installations already create a renewal job. Check for it:
systemctl list-timers | grep certbot
If you see a certbot.timer, automatic renewal is active. By default it runs twice daily with a randomized delay to spread load on Let's Encrypt's servers. Running twice daily is the EFF's own recommendation and comfortably handles both 90-day and shorter 45-day certificates.
Test renewal without issuing
Always confirm the renewal path works end to end with a dry run, which simulates renewal against the staging environment:
sudo certbot renew --dry-run
A successful dry run means real renewals will succeed.
Reload Nginx after renewal
A renewed certificate is only served after Nginx reloads. Add a deploy hook so the reload happens automatically on every renewal:
sudo certbot renew --deploy-hook "systemctl reload nginx"
Certbot saves this hook with the certificate's renewal configuration, so subsequent automatic renewals reload Nginx for you. The reload is graceful, giving near-zero disruption to live connections.
If no timer exists (manual cron)
On the rare system without a preconfigured timer, add a cron entry that runs the check twice a day with a random sleep:
echo "0 0,12 * * * root sleep $((RANDOM \% 3600)) && certbot renew -q --deploy-hook 'systemctl reload nginx'" | sudo tee /etc/cron.d/certbot
Renewal Methods at a Glance
| Method | When to use | Reloads Nginx |
|---|---|---|
certbot.timer (systemd) |
Default on most systems; preferred | Via deploy hook |
/etc/cron.d/certbot |
Systems without systemd timers | Via deploy hook |
Manual certbot renew |
One-off / troubleshooting only | Add --deploy-hook |
Troubleshooting
- Challenge failed / timeout: Port 80 must be reachable from the internet during issuance. Check your firewall and cloud security group.
- DNS mismatch: Re-run
dig +short example.comand confirm it matches the server IP. Allow time for propagation after DNS changes. - Rate limited: Let's Encrypt limits certificates per domain per week. Use
--dry-runfor testing so you don't burn your quota. - Wrong path served: Ensure Nginx references
/etc/letsencrypt/live/..., notarchive/.
Wrapping Up
You now have a free, browser-trusted SSL certificate on Nginx with renewal that runs unattended and reloads your web server automatically — resilient to both 90-day and the newer shorter certificate lifetimes. For email, the same principle applies: secure mail transport matters too, and Skyline business email hosting ships with TLS configured for you. To go deeper on certificates, chains, and compliance, see our SSL certificates resource hub.
Ready to run this on a fast, PDPL-compliant in-Kingdom server with local Arabic support? Create your Skyline Cloud account and deploy a secured site today.
Comments
0 total · 0 threads