SSL/TLS
Why HTTPS?
Section titled “Why HTTPS?”- ✅ Encrypted data in transit
- ✅ Browser trust (no warnings)
- ✅ SEO ranking boost
- ✅ Required for modern APIs
Let’s Encrypt + Certbot
Section titled “Let’s Encrypt + Certbot”# Installsudo apt install certbot python3-certbot-nginx
# Get certificatesudo certbot --nginx -d snapcode.yourdomain.com
# Auto-renewal (already configured)sudo certbot renew --dry-runStandalone
Section titled “Standalone”# Stop web server firstsudo systemctl stop nginx
# Get certificatesudo certbot certonly --standalone -d snapcode.yourdomain.com
# Start web serversudo systemctl start nginxCertificate Locations
Section titled “Certificate Locations”/etc/letsencrypt/live/snapcode.yourdomain.com/├── fullchain.pem # Certificate + chain├── privkey.pem # Private key├── cert.pem # Certificate only└── chain.pem # Chain onlyNginx SSL Config
Section titled “Nginx SSL Config”server { listen 443 ssl http2; server_name snapcode.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/snapcode.yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/snapcode.yourdomain.com/privkey.pem;
# Modern SSL settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
# HSTS add_header Strict-Transport-Security "max-age=31536000" always;}
# Redirect HTTP to HTTPSserver { listen 80; server_name snapcode.yourdomain.com; return 301 https://$server_name$request_uri;}Auto-Renewal
Section titled “Auto-Renewal”# Test renewalsudo certbot renew --dry-run
# Cron job (auto-added by certbot)# 0 0,12 * * * certbot renew --quietVerify SSL
Section titled “Verify SSL”# Check certificateopenssl s_client -connect snapcode.yourdomain.com:443
# Check expirysudo certbot certificates