How to Set Up Free SSL Certificate with Let’s Encrypt on cPanel and Nginx

By Julie David

Securing your website with HTTPS is no longer optional. Browsers flag non-secure sites, search engines downrank them, and visitors leave instantly when they see that scary warning. The good news? You can secure any website for free using Let’s Encrypt, a trusted Certificate Authority that issues TLS certificates at no cost.

This guide covers a complete Let’s Encrypt SSL setup for the two most common hosting setups in 2026: cPanel-based shared hosting and a Nginx VPS. Whether you run a small WordPress blog or manage your own server, you will find the exact commands and clicks you need below.

What Is Let’s Encrypt and Why Use It?

Let’s Encrypt is a free, automated, and open Certificate Authority operated by the nonprofit Internet Security Research Group (ISRG). It issues SSL/TLS certificates that are trusted by every major browser, exactly like the paid certificates from commercial vendors.

Key benefits:

  • 100% free with no hidden fees or upsells
  • Automated issuance and renewal through the ACME protocol
  • Trusted by all modern browsers and operating systems
  • Supports wildcard certificates (*.yourdomain.com)
  • 90-day validity, encouraging good security hygiene through automation

Let’s Encrypt vs Paid SSL Certificates

Feature Let’s Encrypt Paid SSL
Cost Free $10 to $500+ per year
Encryption strength Identical (256-bit) Identical (256-bit)
Validity 90 days (auto-renew) 1 year
EV certificates No Yes
Wildcard support Yes Yes
ssl certificate padlock

Part 1: Let’s Encrypt SSL Setup on cPanel

If your hosting provider uses cPanel (which most shared hosts do), you have two paths: the built-in AutoSSL feature, or manual installation through the SSL/TLS module. AutoSSL is by far the easiest, and at kelio-host.net it’s enabled by default on all our shared plans.

Method 1: Using AutoSSL (Recommended)

  1. Log in to your cPanel dashboard.
  2. Scroll to the Security section and click on SSL/TLS Status.
  3. You will see all your domains and subdomains listed. Select the ones you want to secure.
  4. Click the Run AutoSSL button at the top.
  5. Wait 1 to 5 minutes. AutoSSL will validate domain ownership and install the certificate automatically.
  6. A green padlock icon next to each domain confirms the certificate is active.

AutoSSL automatically renews certificates before expiration, so you can set it and forget it.

Method 2: Manual Installation via SSL/TLS Manager

If AutoSSL is disabled or you need a specific certificate:

  1. In cPanel, open SSL/TLS under the Security section.
  2. Click Generate, view, or delete SSL certificate signing requests and create a CSR for your domain.
  3. Use a tool like ZeroSSL or SSL For Free (both ACME-based and powered by Let’s Encrypt) to issue a certificate using your CSR.
  4. Complete domain verification by uploading the provided file to /public_html/.well-known/acme-challenge/ via File Manager.
  5. Once issued, return to SSL/TLS > Manage SSL sites and paste the certificate, private key, and CA bundle into the corresponding fields.
  6. Click Install Certificate.

Forcing HTTPS on cPanel

After installation, force all traffic to HTTPS by going to Domains > Force HTTPS Redirect and toggling it on for each domain. Alternatively, add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
ssl certificate padlock

Part 2: Let’s Encrypt SSL Setup on Nginx (VPS)

For VPS users running Nginx on Ubuntu, Debian, or similar distributions, the Certbot client is the official and easiest way to handle Let’s Encrypt SSL setup. The instructions below assume Ubuntu 22.04 or 24.04, but they work on most modern Linux distributions with minor adjustments.

Step 1: Prerequisites

  • A domain name pointing to your VPS public IP (A record configured)
  • Nginx installed and serving your site on port 80
  • Root or sudo access
  • Ports 80 and 443 open in your firewall

Verify Nginx is running:

sudo systemctl status nginx

Step 2: Install Certbot

The recommended installation method in 2026 is via snap, which keeps Certbot up to date automatically:

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

If you prefer apt:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Step 3: Generate and Install the Certificate

Certbot can automatically configure Nginx for you. Run:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will:

  1. Ask for your email address (used for renewal notifications)
  2. Prompt you to agree to the Terms of Service
  3. Validate domain ownership using the HTTP-01 challenge
  4. Modify your Nginx configuration to enable HTTPS
  5. Offer to redirect all HTTP traffic to HTTPS (choose option 2)

That’s it. Visit https://yourdomain.com in your browser and you should see the padlock.

Step 4: Verify Auto-Renewal

Certbot installs a systemd timer (or cron job) that renews certificates automatically when they have less than 30 days left. Test it with a dry run:

sudo certbot renew --dry-run

If the output shows Congratulations, all simulated renewals succeeded, your auto-renewal is working. Check the timer status:

sudo systemctl list-timers | grep certbot

Step 5: Hardening Your Nginx SSL Configuration

To achieve an A+ rating on SSL Labs, add these lines inside your Nginx server block:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Reload Nginx:

sudo nginx -t && sudo systemctl reload nginx
ssl certificate padlock

Wildcard Certificates with DNS-01 Challenge

Need to secure unlimited subdomains with a single certificate? Use the DNS-01 challenge:

sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com -d yourdomain.com

Certbot will give you a TXT record to add to your DNS. Once propagated, the wildcard certificate is issued. For full automation, install the DNS plugin matching your provider (Cloudflare, Route53, OVH, etc.).

ssl certificate padlock

Common Issues and How to Fix Them

  • Challenge failed for domain: Make sure your domain DNS points to your server and port 80 is reachable from the internet.
  • Too many certificates already issued: Let’s Encrypt enforces a rate limit of 50 certificates per registered domain per week. Wait or use the staging environment to test.
  • Mixed content warnings: Update internal links and resources (images, scripts) to use HTTPS or relative URLs.
  • Certificate not auto-renewing: Check the systemd timer with sudo systemctl status certbot.timer and review logs in /var/log/letsencrypt/.

FAQ

Does Let’s Encrypt provide free SSL?

Yes. Let’s Encrypt issues fully trusted SSL/TLS certificates at no cost. There are no premium tiers or paid features. The service is funded by sponsors and donations through the Internet Security Research Group.

How much does a Let’s Encrypt SSL certificate cost?

It is completely free, both for personal and commercial use. You only pay for your domain name and your hosting.

What is the difference between Let’s Encrypt and other SSL providers?

The encryption itself is identical. The differences are in price (free vs paid), certificate lifetime (90 days vs 1 year), and the type of validation offered. Let’s Encrypt only issues Domain Validation (DV) certificates, while paid CAs also offer Organization Validation (OV) and Extended Validation (EV).

How often does a Let’s Encrypt certificate need to be renewed?

Every 90 days. However, both Certbot and cPanel AutoSSL handle renewal automatically, so there is no manual work involved once setup is complete.

Can I use Let’s Encrypt with Cloudflare?

Yes. Set up Let’s Encrypt on your origin server first, then enable Cloudflare in front. Use the Full (strict) SSL mode in Cloudflare for end-to-end encryption.

Is Let’s Encrypt suitable for production websites?

Absolutely. It is used by hundreds of millions of websites including major brands. The certificates are technically equivalent to any paid DV certificate.

Conclusion

Setting up a free SSL certificate with Let’s Encrypt is straightforward whether you are on cPanel shared hosting or a self-managed Nginx VPS. With AutoSSL on cPanel or Certbot on Nginx, you can secure your site in under 10 minutes and never worry about expiration thanks to automatic renewal.

At kelio-host.net, every shared hosting plan ships with AutoSSL enabled, and our VPS plans come pre-configured with Certbot ready to run. If you need help with your Let’s Encrypt SSL setup, our support team is available 24/7.

Leave a Comment