DU
Digital Universe
Back to Blog
Security2025-01-307 min read

Free SSL Certificates on Hetzner with Let's Encrypt

Set up automatic, free SSL/TLS certificates on your Hetzner VPS using Let's Encrypt. Covers Certbot, Traefik, and Coolify auto-SSL.

SSL Is Mandatory in 2025

Every website needs HTTPS. Browsers flag HTTP sites as insecure, search engines penalize them, and users don't trust them.

Let's Encrypt provides free, automated SSL certificates that renew every 90 days. Here's how to set them up on Hetzner.

Option 1: Certbot (Manual/Standalone)

Best for: Servers running Nginx or Apache directly.

# Install Certbot
sudo apt install certbot python3-certbot-nginx -y

# Get a certificate (Nginx)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Or standalone (if no web server is running)
sudo certbot certonly --standalone -d yourdomain.com

Certbot will:

1. Verify you own the domain

2. Generate the certificate

3. Configure Nginx to use it

4. Set up automatic renewal

Verify auto-renewal:

sudo certbot renew --dry-run

Option 2: Traefik (Coolify's Default)

If you're using Coolify, SSL is handled automatically by Traefik.

When you add a domain to any Coolify application:

1. Traefik detects the new domain

2. Requests a Let's Encrypt certificate via ACME

3. Configures HTTPS automatically

4. Handles renewal in the background

No manual configuration needed. Just add your domain in Coolify's application settings and ensure your DNS A record points to your server.

Option 3: Caddy

Caddy is a web server with automatic HTTPS built in. No configuration needed — just specify your domain:

yourdomain.com {
    reverse_proxy localhost:3000
}

Caddy handles everything: certificate issuance, renewal, OCSP stapling, and HTTP→HTTPS redirects.

DNS Requirements

For any SSL method, your DNS must be configured first:

yourdomain.com    A    YOUR_SERVER_IP
www.yourdomain.com    A    YOUR_SERVER_IP

The Let's Encrypt verification process needs to reach your server on port 80 to validate domain ownership.

Wildcard Certificates

For wildcard certs (*.yourdomain.com), you need DNS-01 challenge instead of HTTP-01:

sudo certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d yourdomain.com

This requires adding a TXT record to your DNS. For automation, use a DNS provider with API support (Cloudflare, Hetzner DNS).

Common Issues

1. Port 80 blocked: Let's Encrypt needs port 80 open for HTTP-01 challenge

2. DNS not propagated: Wait 5-10 minutes after DNS changes

3. Rate limits: Let's Encrypt limits to 50 certificates per domain per week

4. Renewal failures: Usually caused by changed firewall rules or stopped web server

Security Headers

Once SSL is working, add security headers:

# In your Nginx config
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Our setup guide covers SSL configuration in context — including how Coolify's Traefik handles certificates when coexisting with Mailcow's Nginx.

#ssl#tls#lets-encrypt#hetzner#https

Want the Complete Setup Guide?

This blog post covers the basics. Our premium guide includes step-by-step commands, exact configurations, and the solutions to every gotcha we encountered.

Read Free GuideGet Full Access

Related Articles

Security

SSH Hardening: How to Secure Your VPS in 10 Minutes

2025-02-28 · 7 min

Security

Hetzner Firewall Configuration: UFW & firewalld Guide

2025-02-05 · 8 min