Configuring Let's Encrypt for your HTTP server is now a critical task for any website operator. This guide outlines the core configurations to deploy a trusted certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, ensure your VPS has a DNS record pointing to it. You will need administrator rights and a web server like Nginx. The Let's Encrypt client package must be installed via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the standalone plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a validation file in your document root.
Web Server Configuration Adjustments
After downloading the certificate, you must modify your virtual host to reference the SSL file locations. For Nginx, the typical directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS rewriting from HTTP to HTTPS. A permanent redirect is recommended. For Apache, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client installs a systemd timer to update them automatically. more info To simulate the renewal process, run: `sudo certbot renew --dry-run`. Check your certbot logs for errors. If the renewal encounters a problem, investigate for DNS issues.
Security Hardening (Optional but Recommended)
To improve security, enable HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, disable outdated TLS versions and use secure protocols. A solid configuration safeguards your visitors from downgrade attacks.
By implementing these guidelines, your application will be protected with a automated Let's Encrypt certificate, guaranteeing trust for every request.