If you have your own dedicated or virtual server you most likely have an administrative access which is awesome & dangerous all at the same time.
We’ll use a service called Let’s Encrypt to generate the SSL certificate for a selected domain.

There are several things to keep in mind.

  • The Let’s Encrypt certificates are free
  • Let’s Encrypt certificates expire in 90 days
  • You will get a notification when the certificate is due for renewal (the email is supplied when you request the SSL request).
  • It’s good to use –dry-run initially because if there are too many errors Let’s Encrypt will block you (temporarily) and you won’t be able to request an SSL certificate for several days (or about week)
  • You need to have root access
  • You can’t have a wildcard SSL certificate e.g. *.example.com
  • Your server must allow access to a example.com/.well-known/ folder


Test if your webserver allows access to .well-known

Let’s Encrypt needs to verify that you really have access to the domain so it does some checks. To successfully complete those checks it needs to create some temporary files in a folder called .well-known which resides in your site’s document root folder.

To test if the folder is accessible after you create it then create a text file in it and then try to access it from the browser.

mkdir .well-known

echo 123 > .well-known/test.txt

Visit your website from the browser by entering this address.

If you see 123 file that means that the folder is accessible and you can proceed. Without this step the Let’s Encrypt verifications will fail.



To proceed you need to login as root or switch to root
sudo su


Download (clone) Let’s Encrypt tools from github.

It will be a lot easier later on to update it by running git pull while in /opt/letsencrypt folder.

# Credit: https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
chmod 0755 /opt/letsencrypt/certbot-auto


Request the SSL certificate

Before you go ahead you need to do some thinking. I know it’s hard but still 🙂
Let’s Encrypt allows you to use one SSL certificate for multiple domains and subdomains I advise you against that.
Be specific which (sub)domains you need the SSL certificate for. I highly recommend that you only request for one domain only per certificate. Do make sure you also include the www subdomina e.g. example.com and www.example.com

The issue with having one SSL certificate server multiple domains or subdomains is that if one of the them is not accessible the whole SSL certificate renewal process will fail. For example you’ve requested the certificate to be issued for example.com & example.net (+ their www prefixes) and you have moved the example.net to another server to use it for something else e.g. staging server Let’s Encrypt won’t be able to verify it because it needs to access files on the same server.

To recap use one SSL certificate per domain.

Before you run the following command as root make sure that the document root folder exists /var/www/vhosts/example.com/www/ & you’ve replaced example.com with your own domain.

/opt/letsencrypt/certbot-auto certonly –webroot –webroot-path /var/www/vhosts/example.com/www/ –no-eff-email –noninteractive –verbose –rsa-key-size 4096 –email admin@example.com –verbose –text –agree-tos -d example.com -d www.example.com 2>&1 | tee -a ssl.log

It will take about a minute and if all goes well you should have these files.

  • /etc/letsencrypt/live/example.com/privkey.pem
  • /etc/letsencrypt/live/example.com/fullchain.pem


The next step is to install the SSL certificate on your server.

As mentioned earlier the SSL certificate will expire within 90 days.
To set up the renewal check the article called How to Automatically Renew an SSL Certificate Issued by Let’s Encrypt



Free WordPress Sandbox

Do you want to get a free test/Sandbox WordPress site? Join Now


If something needs correcting in this article, you have an idea or suggestion always let us know