Configuring LetsEncrypt for your HTTP server is now a standard practice for any site owner. This guide outlines the key procedures to deploy a trusted certificate using automated tools.
Prerequisites and Initial Setup
Before starting the configuration, ensure your VPS has a reachable domain pointing to it. You will need sudo privileges and a HTTP daemon like Apache. The Certbot package must be installed via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer a non-intrusive method, use: `sudo certbot here certonly --webroot -w /var/www/html -d example.com`. This places a challenge in your public folder.
Web Server Configuration Adjustments
After downloading the certificate, you must modify your site configuration to reference the SSL file locations. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS redirection from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. The client sets up a scheduled task to renew them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Monitor your server logs for errors. If the renewal fails, check for DNS issues.
Security Hardening (Optional but Recommended)
To boost security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, disable SSLv3 and enable modern ciphers. A solid configuration secures your visitors from MITM threats.
By adhering to these instructions, your site will be protected with a automated Let's Encrypt certificate, providing trust for every connection.