Configuring Let's Encrypt for your web website server is now a critical task for any website operator. This guide outlines the essential steps to deploy a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before starting the configuration, ensure your VPS has a public IP pointing to it. You will need administrator rights and a HTTP daemon like Caddy. The Certbot package must be set up via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the verification process. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a validation file in your web directory.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your virtual host to point to the key and certificate files. For Nginx, the usual directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a cron job to refresh them without manual intervention. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for errors. If the renewal does not work, investigate for DNS issues.
Security Hardening (Optional but Recommended)
To boost security, enable HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove SSLv3 and use strong encryption suites. A robust configuration secures your visitors from vulnerabilities.
By following these steps, your site will be protected with a free Let's Encrypt certificate, providing trust for every request.