Configuring Let's Encrypt for your web server is now a standard practice for any site owner. This guide outlines the key procedures to deploy a secure certificate using the official ACME client.
Prerequisites and Initial Setup
Before starting the configuration, verify your VPS has a public IP pointing to it. You will need sudo privileges and a web server like Apache. The Let's Encrypt client package must be set up via your apt or yum. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your public folder.
Web Server Configuration Adjustments
After obtaining the certificate, you must update your server block to use the SSL file locations. For Nginx, the get more info usual directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS rewriting from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. Certbot sets up a systemd timer to update them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Monitor your system logs for errors. If the renewal does not work, check for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, enable STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove TLS 1.0 and use secure protocols. A robust configuration secures your visitors from vulnerabilities.
By adhering to these guidelines, your web server will be protected with a automated Let's Encrypt certificate, providing integrity for every connection.