Think of HTTP vs HTTPS like sending a message:
When users type passwords or personal info on your website โ HTTPS keeps it safe.
An SSL Certificate is a small file that does 2 things:
Certificates are issued by trusted organizations called Certificate Authorities (CAs).
We will use Let's Encrypt โ a CA that gives certificates 100% free.
Their tool Certbot does almost everything automatically.
| Feature | HTTP โ | HTTPS โ |
|---|---|---|
| Data encrypted? | No | Yes |
| Browser padlock? | No | Yes |
| Google SEO ranking | Lower | Higher |
| Safe for passwords? | No | Yes |
| Modern features (camera, payments)? | No | Yes |
Make sure:
- โ
You have a domain name (e.g., studycode.pro)
- โ
Domain DNS points to your server IP
- โ
Nginx is installed and running
- โ
Port 80 and 443 are open on your firewall
Check Nginx is running:
sudo systemctl status nginx
You should see: active (running)
Certbot is the tool that gets your certificate and configures Nginx for you.
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
This is a plugin that lets Certbot automatically edit your Nginx config file. Without it, you'd have to configure everything by hand.
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
| Part | Meaning |
|---|---|
--nginx |
Use Nginx plugin (auto-configure) |
-d yourdomain.com |
Issue certificate for your domain |
-d www.yourdomain.com |
Also cover the www version |
Certbot will ask you a few things:
Enter email address: your@email.com
Agree to Terms of Service? โ A (Agree)
Redirect HTTP to HTTPS?
1: No redirect
2: Redirect โ
โ Choose this
If someone visits http://yourdomain.com โ they automatically go to https://yourdomain.com.
Nobody accidentally uses the insecure version. โ
If it works, you'll see:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your certificate will expire on 2025-08-14.
๐ Your website is now HTTPS!
Certbot automatically:
yourdomain.comYour Nginx config now looks like this:
# HTTPS โ your main site
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# ... rest of your config ...
}
# HTTP โ HTTPS redirect
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
The 301 means: "This page permanently moved to HTTPS."
Browsers remember this and go straight to HTTPS next time.
# Check config for errors
sudo nginx -t
# Apply changes
sudo systemctl reload nginx
Now open your browser:
- https://yourdomain.com โ ๐ Padlock shows
- http://yourdomain.com โ Auto-redirects to HTTPS
Let's Encrypt certificates expire every 90 days.
Certbot already sets up a timer that checks and renews automatically. Let's confirm it's active:
sudo systemctl status certbot.timer
You should see: active (waiting) โ
Test the renewal process (safe โ doesn't actually renew):
sudo certbot renew --dry-run
โ If you see "simulated renewal succeeded" โ you're done. Your certificate will renew itself forever. You never need to touch it again.
# Open ports in Linux firewall
sudo ufw allow 'Nginx Full'
sudo ufw status
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certbot couldn't reach your domain. Check: - Does your domain DNS A record point to your server IP? - Is port 80 open? (Certbot needs it to verify your domain) - Is Nginx running?
HTTP = Unsecure, plain text โ
HTTPS = Encrypted, safe โ
Let's Encrypt = Free certificate authority
Certbot = Tool that gets and installs the certificate
Certificate expires every 90 days โ auto-renewed by Certbot โ
| Step | Command |
|---|---|
| Install Certbot | sudo apt install certbot python3-certbot-nginx |
| Get certificate | sudo certbot --nginx -d yourdomain.com |
| Test Nginx config | sudo nginx -t |
| Reload Nginx | sudo systemctl reload nginx |
| Test auto-renewal | sudo certbot renew --dry-run |
๐ Learn how Nginx and Gunicorn work together to serve your Flask app โ