Configuring LetsEncrypt for your HTTP server is now a standard practice for any site owner. This guide outlines the essential steps to set up a trusted certificate using Certbot.
Prerequisites and Initial Setup
Before launching the configuration, confirm your VPS has a DNS record pointing to it. You will need administrator rights and a web server like Nginx. The Let's Encrypt client package must be added via your OS repository. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the standalone plugin. For Apache, the `--apache` or `--nginx` plugin can automatically modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the verification process. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your public folder.
Web Server Configuration Adjustments
After receiving the certificate, you must update your server block to use the correct paths. For Nginx, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS rewriting from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. Certbot sets up a scheduled task to renew them without manual intervention. To test the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for issues. If the renewal does not work, check for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. check here Also, disable SSLv3 and use secure protocols. A robust configuration protects your visitors from vulnerabilities.
By adhering to these instructions, your application will be encrypted with a free Let's Encrypt certificate, guaranteeing privacy for every session.