DigitalOceanTutorial2 min read

How Do I Set Up SSL with Let's Encrypt on DigitalOcean?

Secure your DigitalOcean Droplet with free HTTPS certificates from Let's Encrypt using Certbot and auto-renewal.

Server racks and cloud infrastructure

Why HTTPS?

HTTPS encrypts traffic between your visitors and your server. Browsers mark HTTP sites as "Not Secure," and search engines rank HTTPS pages higher. Let's Encrypt provides free, automated SSL certificates trusted by every major browser.

Prerequisites

  • A Droplet with Nginx installed and running
  • A domain name pointed at your Droplet's IP (A record)
  • Port 80 open (Certbot uses it for domain validation)

Step 1 — Install Certbot

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

The Nginx plugin automatically edits your server blocks to enable SSL.

Step 2 — Obtain a Certificate

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will ask for an email (for renewal notices), agree to terms, and optionally share your email with the EFF. It then validates domain ownership, obtains the certificate, and updates your Nginx config.

Step 3 — Verify HTTPS Works

Open https://yourdomain.com in your browser. You should see a padlock icon. Check the certificate details to confirm it was issued by Let's Encrypt.

Step 4 — Confirm Auto-Renewal

Let's Encrypt certificates expire every 90 days. Certbot installs a systemd timer that renews them automatically. Test the renewal process:

sudo certbot renew --dry-run

If this succeeds without errors, auto-renewal is configured correctly.

Force HTTPS Redirect

Certbot usually adds a redirect from HTTP to HTTPS. If not, add this to your Nginx config:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

SSL for Non-Nginx Setups

If you run a standalone app without Nginx, use Certbot in standalone mode:

sudo certbot certonly --standalone -d yourdomain.com

Certificates land in /etc/letsencrypt/live/yourdomain.com/. Configure your app to use fullchain.pem and privkey.pem.

Troubleshooting

  • DNS not propagated: wait until dig yourdomain.com returns your Droplet IP
  • Port 80 blocked: run sudo ufw allow 80 or check DigitalOcean Cloud Firewalls
  • Rate limits: Let's Encrypt allows 50 certificates per domain per week

Once SSL is active, your DigitalOcean site is production-ready for public traffic.

More DigitalOcean tutorialsRead the blog →