Articles

HTTPS Setup: Let's Encrypt & Certbot Secrets

March 15, 2026 7 min read

Setting up HTTPS isn’t just about enabling a padlock; it fundamentally changes how your server interacts with the internet.

Let’s see it in action. Imagine a user’s browser requesting your website. Without HTTPS, this request and your server’s response travel as plain text, visible to anyone snooping on the network.

Browser: GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 ...

Server: HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
...
<!DOCTYPE html>
<html>
<head>
    <title>My Awesome Site</title>
</head>
<body>
    <h1>Welcome!</h1>
</body>
</html>

With HTTPS, the initial handshake is entirely different. It involves a cryptographic exchange to establish a secure, encrypted channel.

Browser: Client Hello (supported ciphers, TLS version)
Server: Server Hello (chosen cipher, TLS version, certificate)
Server: Certificate Authority (CA) Certificate
Browser: Verifies CA certificate, generates session key, encrypts it with server's public key.
Browser: Client Key Exchange (encrypted session key)
Browser: Change Cipher Spec, Finished (encrypted handshake messages)
Server: Change Cipher Spec, Finished (encrypted handshake messages)

Only after this secure channel is established does the actual HTTP request and response occur, now fully encrypted.

Browser: GET /index.html HTTP/1.1 (encrypted)
Host: example.com (encrypted)
User-Agent: Mozilla/5.0 ... (encrypted)

Server: HTTP/1.1 200 OK (encrypted)
Content-Type: text/html (encrypted)
Content-Length: 1234 (encrypted)
...
<!DOCTYPE html>
<html>
... (encrypted)
</html>

The core problem HTTPS solves is confidentiality and integrity for data in transit. Before HTTPS, data was sent in the clear, making it vulnerable to eavesdropping (confidentiality) and tampering (integrity). Think of it like sending a postcard versus a sealed, tamper-evident envelope.

To set this up, you’ll need an SSL/TLS certificate. This certificate is issued by a trusted Certificate Authority (CA) and contains your domain’s public key, its identity, and the CA’s digital signature. When a browser connects to your HTTPS server, it downloads this certificate. The browser then uses its built-in list of trusted CAs to verify the certificate’s authenticity. If the CA is trusted and the certificate is valid for your domain, the browser proceeds with establishing the encrypted connection using the public key from the certificate to securely exchange a symmetric session key. This session key is then used for all subsequent communication during that session, as symmetric encryption is much faster than asymmetric encryption.

The main levers you control are:

  • Certificate Acquisition: Choosing a CA (e.g., Let’s Encrypt, DigiCert, Sectigo) and obtaining a certificate (Domain Validated, Organization Validated, Extended Validation).
  • Web Server Configuration: Installing the certificate and private key on your web server (e.g., Nginx, Apache, IIS) and configuring it to listen on port 443 and use HTTPS. This involves directives like ssl_certificate and ssl_certificate_key in Nginx, or SSLCertificateFile and SSLCertificateKeyFile in Apache.
  • HTTP to HTTPS Redirects: Ensuring all HTTP requests are automatically redirected to their HTTPS equivalents using server configuration (e.g., return 301 https://$host$request_uri; in Nginx) or .htaccess rules.
  • TLS Version and Cipher Suite Selection: Configuring your server to use strong TLS versions (TLS 1.2 and TLS 1.3) and secure cipher suites, disabling older, vulnerable protocols like SSLv3 and TLS 1.0/1.1.

A common pitfall is certificate expiry. Certificates have a limited lifespan (typically 90 days for Let’s Encrypt, up to a year for commercial certificates) and must be renewed. Failing to renew means your site will display a "Not Secure" warning to visitors, and connections will fail. Automated renewal processes, especially with tools like certbot for Let’s Encrypt, are crucial.

Many people don’t realize that the "padlock" icon is just the browser’s way of saying "I successfully verified the server’s identity and established an encrypted channel." It doesn’t inherently guarantee your application is secure from other types of attacks, like SQL injection or cross-site scripting. The encryption is purely about the communication channel itself.

The next step is understanding how to optimize your HTTPS configuration for performance and security, often involving HTTP Strict Transport Security (HSTS) and TLS session resumption.

Want structured learning?

Take the full Cryptography course →