## Install Certbot ```bash sudo apt install certbot python3-certbot-nginx ``` ## Obtain Certificate ```bash sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com ``` Certbot automatically edits your Nginx config and sets up auto-renewal. ## Manual Nginx SSL Config If you prefer to manage Nginx yourself: ```nginx server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:10m; } ``` ## Django HTTPS Settings ```python SECURE_SSL_REDIRECT = True SECURE_HSTS_SECONDS = 31536000 SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_HSTS_PRELOAD = True SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True ``` ## Auto-Renewal Certbot installs a systemd timer automatically. Verify it: ```bash sudo systemctl status certbot.timer sudo certbot renew --dry-run ``` Certificates renew automatically 30 days before expiry.