Configuring Let's Encrypt for your web server is now a standard practice for any website operator. This guide outlines the essential steps to set up a valid certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, verify your VPS has a reachable domain pointing to it. You will need root access and a HTTP daemon like Nginx. The Let's Encrypt client package must be installed via your apt or yum. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the standalone plugin. For Nginx, the `--apache` or `--nginx` plugin can automatically modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts check here the ACME challenge. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a token in your public folder.
Web Server Configuration Adjustments
After receiving the certificate, you must tweak your site configuration to point to the SSL file locations. For Apache, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS redirection from HTTP to HTTPS. A permanent redirect is best practice. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a scheduled task to update them without manual intervention. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Check your certbot logs for issues. If the renewal encounters a problem, troubleshoot for DNS issues.
Security Hardening (Optional but Recommended)
To boost security, enable HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, turn off TLS 1.0 and use strong encryption suites. A solid configuration secures your users from vulnerabilities.
By following these steps, your application will be encrypted with a free Let's Encrypt certificate, guaranteeing trust for every connection.