Enable HTTPS with Let's Encrypt
Obtain a free, trusted TLS certificate using Certbot and the Let's Encrypt ACME protocol. Configure automatic renewal so the certificate stays valid.
Prerequisites
All of the following must be true before running Certbot.
- ✓ Your domain resolves to the Oracle VM's public IP address
- ✓ Nginx is installed and serving HTTP on port 80
- ✓ Port 80 is open in the Oracle Security List
- ✓ Port 80 is allowed in iptables
If DNS does not resolve to your server before running Certbot, the ACME HTTP-01 challenge will fail. Let's Encrypt enforces rate limits, and too many failed attempts will temporarily block certificate issuance for your domain.
Install Certbot
Install Certbot and the Nginx plugin from the Ubuntu repositories.
sudo apt update sudo apt install -y certbot python3-certbot-nginx
Certbot's Nginx plugin will automatically detect your Nginx virtual hosts and modify the configuration to add SSL directives after the certificate is issued.
Request a Certificate
Run Certbot with the Nginx plugin. It will automatically detect the Nginx server_name and perform the ACME HTTP-01 challenge.
sudo certbot --nginx
The interactive wizard will ask you to:
- Enter a valid email address (used for expiry notifications)
- Accept the Let's Encrypt Terms of Service
- Choose whether to share your email with EFF (optional)
- Select the domain(s) to secure (from the detected Nginx server names)
- Choose whether to redirect HTTP traffic to HTTPS automatically
Select 2 (Redirect) when prompted to redirect HTTP to HTTPS. This ensures all traffic is always encrypted and your Nginx configuration is automatically updated.
After completion, Certbot modifies your Nginx configuration to include the certificate paths and SSL directives, then reloads Nginx automatically.
Automatic Renewal
Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer that runs twice daily to check and renew certificates that are due to expire within 30 days.
systemctl list-timers | grep certbot
Test the renewal process without actually issuing a new certificate.
sudo certbot renew --dry-run
The Certbot systemd timer is enabled and started automatically during installation. As long as ports 80 and 443 remain accessible and DNS continues to resolve correctly, renewal will happen automatically without any manual intervention.
Verification
curl -Ik https://example.com sudo nginx -t sudo systemctl reload nginx
| Check | Expected Result |
|---|---|
| HTTPS loads | Browser shows a padlock icon |
| Certificate valid | Issued by Let's Encrypt |
| HTTP redirects to HTTPS | curl http:// returns 301 to https:// |
| Automatic renewal configured | certbot.timer listed as active |
Common Issues
| Problem | Resolution |
|---|---|
| Connection timed out during challenge | Verify port 80 is open in the Oracle Security List and iptables. See Chapter 8. |
| ACME challenge failed | Ensure DNS resolves to the correct public IP. Test with dig @8.8.8.8 example.com. |
| Certificate not renewing | Check sudo systemctl status certbot.timer and run a dry-run manually. |
| Browser still shows HTTP / no padlock | Clear browser cache, or check whether the HTTP→HTTPS redirect is active in the Nginx config. |
| Too many requests error | You've hit the Let's Encrypt rate limit. Wait 1 hour before retrying, or use the --staging flag for testing. |