Configuring LetsEncrypt for your HTTP server is now a standard practice for any webmaster. This guide outlines the key procedures to set up a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your VPS has a reachable domain pointing to it. You will need administrator rights and a HTTP daemon like Caddy. The Let's Encrypt client package must be installed via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a challenge in your web directory.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your site configuration to point to the SSL file locations. For Nginx, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS forwarding from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. The client installs a systemd timer to update them without manual intervention. To test the renewal process, run: `sudo certbot renew --dry-run`. Check your server logs for warnings. If the renewal fails, check for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, implement STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove TLS 1.0 and enable secure protocols. check here A secure configuration protects your visitors from MITM threats.
By implementing these steps, your site will be protected with a free Let's Encrypt certificate, guaranteeing privacy for every session.