Back to blog
Guides

Free SSL for all your websites: how Let's Encrypt works (and how to automate it)

Paying for SSL certificates has made no sense since 2016. Let's Encrypt issues them free — but the real work is renewing them every 90 days, forever, without downtime. Here's how TLS and ACME actually work, how to fix the common errors, and how to make renewal something you never think about.

S
ShadowPanel Team
6 min read

There was a time when an SSL certificate was a line item — €50 to €200 a year, per domain, bought from a reseller and installed by hand. Since Let's Encrypt launched in 2016, that's simply over. HTTPS is now free, automatable, and expected: browsers mark plain HTTP as "Not secure," and Google treats HTTPS as a ranking signal. If you're still paying for a basic domain-validated certificate in 2026, you're paying for nothing.

But "free" hides the real work. A Let's Encrypt certificate is only valid for 90 days. The value was never the certificate — it's keeping every site's certificate renewed, forever, without a 3 a.m. outage when one silently expires. This article explains how TLS and Let's Encrypt actually work, how to fix the errors everyone hits, and how to make renewal a problem you never have to think about again.

A 60-second refresher: what TLS actually does

When a browser connects over HTTPS, TLS (the successor to SSL — we still say "SSL" out of habit) does two jobs:

  • Encryption — nobody between the browser and your server can read the traffic. Passwords, sessions and form data stay private on any network.
  • Identity — a certificate, signed by a trusted Certificate Authority (CA), proves the server really is example.com and not an impostor. That's what the padlock means.

A certificate is just a public key plus some identity claims, cryptographically signed by a CA the browser already trusts. The hard part historically was getting a CA to sign it — that meant money and manual steps. Let's Encrypt automated exactly that.

How Let's Encrypt proves you own the domain (ACME)

Let's Encrypt is a free, automated CA. It won't sign a certificate for example.com until you prove you control that domain, and it does so through a protocol called ACME. There are two ways to pass the challenge:

  • HTTP-01 — the CA asks your server to place a specific token file at http://yourdomain/.well-known/acme-challenge/…. It fetches that URL; if the token is there, you clearly control the site. This needs port 80 reachable and works for one hostname at a time.
  • DNS-01 — the CA asks you to publish a specific TXT record at _acme-challenge.yourdomain. It queries DNS; if the record matches, you're validated. This one doesn't need an open web server and is the only way to get a wildcard certificate (*.yourdomain).

Once validated, the CA signs your certificate. A client like certbot automates the whole dance — request, prove, receive, install — and can reload your web server so the new cert goes live with no downtime.

Renewal is the actual job

Here's the part people underestimate. That 90-day lifetime is deliberate: short-lived certificates limit the damage of a stolen key and force automation. But it means every certificate must be renewed roughly every 60 days (you renew before expiry, not on the day). Miss it, and visitors get a full-page browser warning — the kind that makes people leave and never come back.

The standard advice is a cron job running certbot renew twice a day; certbot only actually renews certs inside the 30-day window. That works — until it doesn't: a renewal fails silently because port 80 got firewalled, or a DNS record changed, or a stale certbot lock file blocks the run, and nobody notices until the cert expires. Renewal isn't hard; noticing a failed renewal is where sites get burned.

The errors everyone hits (and the fix)

  • "Timeout during connect" / HTTP-01 fails — the CA couldn't reach port 80. Check your firewall (UFW/cloud firewall) allows inbound 80, and that the domain's DNS actually points at this server.
  • "DNS problem: NXDOMAIN" / record not found — the domain doesn't resolve yet, or you're issuing before propagation. Wait for DNS to propagate; for DNS-01, confirm the _acme-challenge TXT record is live before validating.
  • CAA record forbids issuance — a CAA DNS record on your domain restricts which CAs may issue. Add letsencrypt.org to it, or remove the restrictive record.
  • "Too many certificates already issued" (rate limit) — Let's Encrypt limits certificates per registered domain per week. While testing, use the staging environment so you don't burn your production quota, then switch to production once it works.
  • Renewed cert, but the site still serves the old one — the web server wasn't reloaded after renewal. The renewal must trigger an nginx -s reload (or equivalent) to pick up the new certificate.

None of these is exotic. But diagnosing them across a dozen sites, by hand, is exactly the kind of recurring toil a control panel exists to remove.

Doing this by hand is fiddly — automate it away

Wiring up certbot, choosing the right challenge, opening port 80, scripting a renewal cron, making it reload nginx, and monitoring that renewals actually succeed — for every domain, forever — is a lot of moving parts to keep correct. That's the repetitive, easy-to-forget work a panel should own.

ShadowPanel makes SSL a non-event:

  • One-click issuance. Point a domain at your server and issue a free Let's Encrypt certificate for it — the panel runs certbot, handles the challenge, and reloads nginx so HTTPS is live immediately.
  • Automatic renewal, monitored. A scheduled worker checks daily and renews any certificate within 30 days of expiry — well ahead of the deadline. It clears stale certbot locks before each run, so a leftover lock file can't quietly block renewal, and it records failures instead of failing silently.
  • Wildcard support for *.yourdomain via DNS validation, so every subdomain is covered by one certificate.
  • Free on every tier. SSL isn't a paid upsell — every site you host gets encrypted HTTPS at no extra cost, on the Free tier included.

The result: you issue once, and renewal simply never becomes your problem. That reliability matters most when you host many sites — see hosting multiple client sites on one VPS, where one expired certificate is one unhappy client.

The bottom line

Free SSL isn't the achievement anymore — Let's Encrypt settled that in 2016. The real work is renewing a 90-day certificate for every site, forever, and knowing when a renewal fails before your visitors do. Understand the two ACME challenges, keep port 80 (or your DNS records) healthy, and above all automate renewal with monitoring. ShadowPanel does all of that by default, free on every tier, so HTTPS is something you set once and never think about again.

curl -fsSL https://shadowpanel.de/install.sh | bash

See pricing and download →

We use cookies

We use cookies to improve your experience and remember your preferences. You can manage your choices below. Learn more.

ShadowPanel

Manage your cookie preferences below. Essential cookies are always active as they are required for the website to function.

Essential

Required for the site to work. These include session authentication and CSRF protection. Cannot be disabled.

Always on

Functional

Remembers your language preference so you do not need to reselect it on every visit.

Analytics

Helps us understand how visitors use the site so we can improve it. No personal data is sold.

Marketing

Used by Google Ads to measure ad conversions and improve campaign targeting. No personal data is sold.