If your website still shows "Not Secure" in the browser address bar, you're losing visitors and search rankings. SSL certificates encrypt the connection between your visitors and your server, and thanks to Let's Encrypt, they're completely free. Here's how to set one up in under 10 minutes.
Why SSL Matters
Before we dive in, here's why HTTPS isn't optional anymore:
- Google ranks HTTPS sites higher — it's been a ranking signal since 2014
- Browsers warn visitors — Chrome and Firefox display "Not Secure" warnings on HTTP sites
- Data protection — SSL encrypts login credentials, payment info, and personal data in transit
- Trust — visitors are more likely to engage with a site that shows the padlock icon
- Required for modern features — HTTP/2, service workers, and many APIs require HTTPS
What You'll Need
- A domain name pointing to your server (A record configured)
- SSH access to your server (or a hosting control panel)
- Your web server software (Nginx or Apache)
Method 1: Certbot (Recommended)
Certbot is the official Let's Encrypt client. It handles certificate issuance and automatic renewal.
Step 1: Install Certbot
Ubuntu/Debian:
sudo apt update
sudo apt install certbot
For Nginx:
sudo apt install python3-certbot-nginx
For Apache:
sudo apt install python3-certbot-apache
CentOS/RHEL:
sudo dnf install certbot python3-certbot-nginx
Step 2: Obtain Your Certificate
For Nginx:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
For Apache:
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
Certbot will:
- Verify you own the domain
- Obtain the certificate
- Automatically configure your web server
- Set up HTTP → HTTPS redirect
You'll be prompted for an email address (for renewal notifications) and to agree to the terms of service.
Step 3: Verify It Works
Visit https://yourdomain.com — you should see the padlock icon. You can also test at ssllabs.com/ssltest for a detailed security grade.
Step 4: Set Up Auto-Renewal
Let's Encrypt certificates expire after 90 days. Certbot sets up automatic renewal, but verify it works:
# Test renewal (dry run)
sudo certbot renew --dry-run
Certbot installs a systemd timer or cron job that runs twice daily and renews any certificate within 30 days of expiry. Check it's active:
sudo systemctl status certbot.timer
Method 2: Manual Nginx Configuration
If Certbot's automatic configuration doesn't suit your setup, here's how to configure Nginx manually after obtaining a certificate.
Obtain Certificate (Standalone Mode)
Stop your web server temporarily:
sudo systemctl stop nginx
sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
sudo systemctl start nginx
Configure Nginx
Edit your server block (typically in /etc/nginx/sites-available/yourdomain.com):
# Redirect HTTP to HTTPS
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server block
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Strong SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (optional but recommended)
add_header Strict-Transport-Security "max-age=63072000" always;
# Your site configuration
root /var/www/yourdomain.com;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
}
}
Test and reload:
sudo nginx -t
sudo systemctl reload nginx
Method 3: Apache Manual Configuration
Configure Apache
Enable required modules:
sudo a2enmod ssl
sudo a2enmod rewrite
Create or edit your virtual host:
# /etc/apache2/sites-available/yourdomain-ssl.conf
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
<Directory /var/www/yourdomain.com>
AllowOverride All
</Directory>
</VirtualHost>
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>
Enable and restart:
sudo a2ensite yourdomain-ssl.conf
sudo systemctl restart apache2
WordPress-Specific Steps
After installing SSL, WordPress needs a few extra steps:
Update WordPress URLs
Go to Settings → General and update both:
- WordPress Address (URL):
https://yourdomain.com - Site Address (URL):
https://yourdomain.com
Fix Mixed Content
Mixed content occurs when your HTTPS page loads some resources over HTTP (images, scripts, stylesheets). Fix it with:
Option A: Plugin (easiest)
Install "Really Simple SSL" — it handles most mixed content issues automatically.
Option B: Database search-replace
# Using WP-CLI
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables
Force HTTPS in wp-config.php
Add these lines above "That's all, stop editing!":
define('FORCE_SSL_ADMIN', true);
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}
Using Cloudflare for SSL (No Server Access Needed)
If you don't have SSH access, Cloudflare provides free SSL without touching your server:
- Create a free Cloudflare account
- Add your domain and update nameservers
- In SSL/TLS settings, select "Full" (or "Full (Strict)" if you also have a server certificate)
- Enable "Always Use HTTPS" under Edge Certificates
This works by encrypting traffic between visitors and Cloudflare. For full end-to-end encryption, combine Cloudflare with a Let's Encrypt certificate on your server.
Hosting Control Panel (cPanel/Plesk)
Many hosting providers offer SSL through their control panel:
cPanel:
- Go to Security → SSL/TLS
- Click Manage SSL Sites
- Use AutoSSL — cPanel automatically provisions free certificates
Plesk:
- Go to Websites & Domains
- Click SSL/TLS Certificates
- Install a free Let's Encrypt certificate with one click
Troubleshooting Common Issues
Certificate not renewing:
# Check certbot logs
sudo journalctl -u certbot
# Force renewal
sudo certbot renew --force-renewal
Mixed content warnings:
Check browser developer tools (F12 → Console) for specific HTTP resources that need updating.
"Your connection is not private" error:
- Certificate might have expired — check with
sudo certbot certificates - Domain mismatch — ensure the certificate covers your exact domain
- Clock issues — verify your server time is correct
Redirect loops:
Usually caused by a load balancer or proxy. Check if X-Forwarded-Proto header is being passed correctly.
SSL Best Practices
- Always redirect HTTP → HTTPS — don't serve content on both
- Enable HSTS — tells browsers to always use HTTPS
- Use TLS 1.2+ only — disable older, insecure protocols
- Monitor certificate expiry — set up alerts even with auto-renewal
- Test regularly — use SSL Labs to check your configuration grade
Secure Your Site Today
SSL is no longer optional — it's a basic requirement for any website. With Let's Encrypt, there's zero cost involved, and the setup takes minutes. Your visitors get security, your SEO gets a boost, and your site gets the trust it deserves.
At DeployBase, every hosting plan includes free SSL certificates with automatic provisioning and renewal. No command line required — SSL is enabled by default when you deploy your site. We handle the certificates so you can focus on building your business.
Get started with DeployBase → — free SSL included with every plan.
