Prerequisites

All of the following must be true before running Certbot.

  • Your domain resolves to the Oracle VM's public IP address
  • Nginx is installed and serving HTTP on port 80
  • Port 80 is open in the Oracle Security List
  • Port 80 is allowed in iptables
Do not skip prerequisites

If DNS does not resolve to your server before running Certbot, the ACME HTTP-01 challenge will fail. Let's Encrypt enforces rate limits, and too many failed attempts will temporarily block certificate issuance for your domain.

Install Certbot

Install Certbot and the Nginx plugin from the Ubuntu repositories.

bash
sudo apt update
sudo apt install -y certbot python3-certbot-nginx

Certbot's Nginx plugin will automatically detect your Nginx virtual hosts and modify the configuration to add SSL directives after the certificate is issued.

Request a Certificate

Run Certbot with the Nginx plugin. It will automatically detect the Nginx server_name and perform the ACME HTTP-01 challenge.

bash
sudo certbot --nginx

The interactive wizard will ask you to:

  1. Enter a valid email address (used for expiry notifications)
  2. Accept the Let's Encrypt Terms of Service
  3. Choose whether to share your email with EFF (optional)
  4. Select the domain(s) to secure (from the detected Nginx server names)
  5. Choose whether to redirect HTTP traffic to HTTPS automatically
Select redirect

Select 2 (Redirect) when prompted to redirect HTTP to HTTPS. This ensures all traffic is always encrypted and your Nginx configuration is automatically updated.

After completion, Certbot modifies your Nginx configuration to include the certificate paths and SSL directives, then reloads Nginx automatically.

Automatic Renewal

Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer that runs twice daily to check and renew certificates that are due to expire within 30 days.

bash
systemctl list-timers | grep certbot

Test the renewal process without actually issuing a new certificate.

bash
sudo certbot renew --dry-run
No action needed

The Certbot systemd timer is enabled and started automatically during installation. As long as ports 80 and 443 remain accessible and DNS continues to resolve correctly, renewal will happen automatically without any manual intervention.

Verification

bash
curl -Ik https://example.com

sudo nginx -t

sudo systemctl reload nginx
CheckExpected Result
HTTPS loadsBrowser shows a padlock icon
Certificate validIssued by Let's Encrypt
HTTP redirects to HTTPScurl http:// returns 301 to https://
Automatic renewal configuredcertbot.timer listed as active

Common Issues

ProblemResolution
Connection timed out during challengeVerify port 80 is open in the Oracle Security List and iptables. See Chapter 8.
ACME challenge failedEnsure DNS resolves to the correct public IP. Test with dig @8.8.8.8 example.com.
Certificate not renewingCheck sudo systemctl status certbot.timer and run a dry-run manually.
Browser still shows HTTP / no padlockClear browser cache, or check whether the HTTP→HTTPS redirect is active in the Nginx config.
Too many requests errorYou've hit the Let's Encrypt rate limit. Wait 1 hour before retrying, or use the --staging flag for testing.
Back to top