Configuring Let's Encrypt for your HTTP server is now a standard practice for any website operator. This guide outlines the essential steps to deploy a secure certificate using the official ACME client.
Prerequisites and Initial Setup
Before starting the configuration, ensure your VPS has a public IP pointing to it. You will need root access and a web server like Apache. The Let's Encrypt client package must be added via your OS repository. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the ACME challenge. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a validation file in your document root.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your virtual host to point to the key and certificate files. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you here activate HTTPS forwarding from HTTP to HTTPS. A permanent redirect is standard. For Apache, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client sets up a cron job to refresh them without manual intervention. To verify the renewal process, run: `sudo certbot renew --dry-run`. Check your system logs for issues. If the renewal does not work, check for DNS issues.
Security Hardening (Optional but Recommended)
To improve security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, turn off SSLv3 and use secure protocols. A secure configuration protects your users from MITM threats.
By following these steps, your site will be protected with a cost-effective Let's Encrypt certificate, ensuring trust for every request.