Skip to Content
chalvien 1.0 is released
DocumentationVPS DocumentationProvisioningCertbot

Certbot

Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. Assuming Ubuntu + NGINX + domain already pointing to the VPS, we’ll end with:

  • valid HTTPS
  • auto-renewal
  • NGINX config that won’t fight you later when you add Next.js / Express

Quick checklist (don’t skip)

Make sure all of these are true:

  • Domain resolves to your VPS IP
ping yourdomain.com
  • NGINX serves your static page on HTTP
  • port 80 and 443 open

If yes → continue.

Install Certbot (NGINX plugin)

On Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

Verify:

certbot --version

Dry sanity check (NGINX)

Before touching SSL, always validate NGINX:

sudo nginx -t

If OK, continue. If not → fix first.

Run Certbot

Run:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will ask:

  • Email address → use a real one
  • Agree to terms → A
  • Share email? → your choice (I usually say N)
  • HTTP → HTTPS redirect? → YES (option 2)

This is what you want in production.

Certbot will:

  • request certificates
  • edit your NGINX config
  • reload NGINX

Verify HTTPS

Open in browser:

https://yourdomain.com

You should see:

  • lock icon
  • your static page

Also test:

http://yourdomain.com

→ should auto-redirect to HTTPS.

Inspect what Certbot changed (important)

Open your NGINX config:

sudo nano /etc/nginx/sites-available/myapp

You’ll now see something like:

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;
 
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
 
    root /var/www/myapp/static;
    index index.html;
 
    location / {
        try_files $uri $uri/ =404;
    }
}
 
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

This structure is exactly what we want going forward.

Auto-renewal check (very important)

Let’s Encrypt certs last 90 days, but Ubuntu handles renewal automatically.

Test renewal:

sudo certbot renew --dry-run

You should see:

Congratulations, all renewals succeeded

System timer check:

systemctl list-timers | grep certbot

If you see a timer → you’re safe.

Add this inside the HTTPS server block:

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";

Not mandatory now, but clean.

Where you are now (big milestone)

At this point you have:

  • VPS hardened (users + SSH)
  • NGINX properly configured
  • Domain working
  • HTTPS + auto-renewal
  • Clean foundation for Node apps

This is production-grade groundwork.

Next logical step (our choice)

  • Install Node.js LTS
  • Set up PM2
  • Deploy a minimal Next.js app
  • Add Express API
  • Install Postgres
VPS SetupConfiguration