Configuring LetsEncrypt for your HTTP server is now a critical task for any webmaster. This guide outlines the core configurations to deploy a secure certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, ensure your VPS has a public IP pointing to it. You will need root access and a web server like Apache. The Certbot package must be installed via your OS repository. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the webroot plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your configuration file. Run: `sudo certbot --apache -d example.com -d click here www.example.com`. This initiates the ACME challenge. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a validation file in your document root.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your site configuration to use the correct paths. For Nginx, the usual directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a cron job to refresh them without manual intervention. To test the renewal process, run: `sudo certbot renew --dry-run`. Review your server logs for errors. If the renewal encounters a problem, check for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, remove outdated TLS versions and enable secure protocols. A secure configuration secures your clients from MITM threats.
By implementing these instructions, your site will be secured with a free Let's Encrypt certificate, providing integrity for every connection.