Configuring LetsEncrypt for your HTTP server is now a fundamental step for any site owner. This guide outlines the essential steps to deploy a valid certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your VPS has a DNS record pointing to it. You will need sudo privileges and a HTTP daemon like Apache. The Certbot package must be set up via your distribution's package manager. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can automatically modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the ACME challenge. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your document root.
Web Server Configuration Adjustments
After receiving the certificate, you must tweak your server block to point to the key and certificate files. For Apache, the usual directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A permanent redirect is recommended. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. Certbot sets up a cron job to renew them on a regular basis. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Monitor your certbot logs for warnings. If the renewal fails, troubleshoot for firewall issues.
Security Hardening (Optional but Recommended)
To improve security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove SSLv3 and enable strong encryption suites. A solid configuration protects your visitors from vulnerabilities.
By implementing these instructions, your web server will be secured with a automated Let's Encrypt certificate, guaranteeing read more privacy for every session.