Configuring Let's Encrypt for your HTTP server is now a standard practice for any website operator. This guide outlines the key procedures to set up a trusted certificate using automated tools.
Prerequisites and Initial Setup
Before starting the configuration, confirm your VPS has a DNS record pointing to it. You will need administrator rights and a HTTP daemon like Caddy. The Let's Encrypt client package must be set up via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the webroot plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the ACME challenge. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a token in your web directory.
Web Server Configuration Adjustments
After receiving the certificate, you must update your virtual host to reference the key and certificate files. For Apache, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. Certbot configures a cron job to refresh them on a regular basis. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Monitor your server logs for errors. If the renewal encounters a problem, investigate for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, implement STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, turn off SSLv3 and use secure protocols. A secure configuration protects your clients from MITM threats.
By adhering check here to these instructions, your site will be secured with a automated Let's Encrypt certificate, ensuring privacy for every request.