The clearest explanation of the TLS handshake, certificates, and why HTTPS matters. Read this to understand what Certbot is actually doing for you. cloudflare.com/learning →
HTTP sends data as plaintext. Anyone on the same network (your ISP, a coffee shop router, a government) can read and modify every request — including passwords, session tokens, and API keys. HTTPS encrypts the connection using TLS (Transport Layer Security).
In 2025, HTTP is not optional. Browsers mark HTTP sites as "Not Secure." Google penalises them in search rankings. Many APIs refuse to communicate over HTTP. You will always use HTTPS.
SSL is the old, insecure protocol. TLS is its successor. When people say "SSL certificate" they mean a TLS certificate. The terms are used interchangeably in practice — the protocol underneath is always TLS 1.2 or 1.3 in 2025.
When your browser connects to https://yourapp.com, this happens before any data is exchanged:
The certificate proves identity (this server really is yourapp.com). The encryption protects privacy (nobody can read the data). Both are required for HTTPS to be trustworthy.
A TLS certificate is a file that says: "I certify that this public key belongs to yourapp.com" — signed by a Certificate Authority (CA) that browsers trust. Common CAs include Let's Encrypt (free), DigiCert, Comodo, and Amazon ACM.
| Type | Covers | Use case |
|---|---|---|
| DV (Domain Validated) | yourapp.com, *.yourapp.com | 99% of web apps — Let's Encrypt is DV |
| OV (Organization Validated) | Same + org identity verified | Corporate sites that want to show org name |
| EV (Extended Validation) | Same + rigorous vetting | Banks, payment processors (mostly obsolete) |
| Wildcard (*.domain.com) | All subdomains | api.yourapp.com, cdn.yourapp.com, etc. |
Let's Encrypt is a non-profit CA that issues free DV certificates. It's automated via the ACME protocol. The certbot tool handles everything: requesting, validating, issuing, and renewing certificates automatically.
# Install Certbot (Ubuntu with snap)
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Get a certificate + auto-configure Nginx
sudo certbot --nginx -d yourapp.com -d www.yourapp.com
# Renew all certificates (runs automatically via cron/systemd)
sudo certbot renew
# Test the renewal process without actually renewing
sudo certbot renew --dry-run
# List all certificates
sudo certbot certificatesAfter running certbot --nginx, Certbot modifies your Nginx config to add SSL and set up HTTP→HTTPS redirects automatically. Certificates expire after 90 days — Certbot renews them automatically at 30 days before expiry.
Let's Encrypt limits you to 5 certificate issuances per domain per week. If you're testing, use their --staging flag to get test certs that don't count against the limit.
If you use Cloudflare in front of your server, Cloudflare handles the HTTPS between the user and Cloudflare's edge automatically — even if your origin server only speaks HTTP. This is the Flexible SSL mode (not recommended for production).
For production, use Full (Strict) SSL: Cloudflare ↔ User has a Cloudflare cert; Cloudflare ↔ Your server has a Certbot/ACM cert. Both connections are encrypted.
| Mode | User→Cloudflare | Cloudflare→Server | Recommendation |
|---|---|---|---|
| Off | HTTP | HTTP | Never |
| Flexible | HTTPS | HTTP | Never (data exposed on origin) |
| Full | HTTPS | HTTPS (self-signed OK) | Avoid (self-signed risks) |
| Full (Strict) | HTTPS | HTTPS (valid cert required) | ✓ Always use this |