Configuring Let's Encrypt for your web server is now a critical task for any site owner. This guide outlines the key procedures to deploy a valid certificate using the official ACME client.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your VPS has a public IP pointing to it. You will need sudo privileges and a web server like Caddy. The Certbot package must be installed via your apt or yum. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the standalone plugin. For Apache, the `--apache` or `--nginx` plugin can automatically modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a validation file in your web directory.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your site configuration to use the correct paths. For Nginx, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, more info include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. The client sets up a systemd timer to refresh them on a regular basis. To test the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for errors. If the renewal does not work, investigate for firewall issues.
Security Hardening (Optional but Recommended)
To boost security, enable STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, disable TLS 1.0 and prefer secure protocols. A solid configuration protects your clients from downgrade attacks.
By adhering to these guidelines, your application will be secured with a free Let's Encrypt certificate, guaranteeing trust for every session.