Configuring Let's Encrypt for your HTTP server is now a critical task for any webmaster. This guide outlines the essential steps to integrate a secure certificate using Certbot.
Prerequisites and Initial Setup
Before starting the configuration, confirm your VPS has a DNS record pointing to it. You will need root access and a web server like Apache. The Certbot package must be installed via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your document root.
Web Server Configuration Adjustments
After obtaining the certificate, you must letsencrypt webserver configuration tweak your server block to point to the SSL file locations. For Nginx, the usual directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A 301 redirect is best practice. For Apache, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. Certbot installs a cron job to update them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for issues. If the renewal encounters a problem, troubleshoot for port 80 issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, turn off outdated TLS versions and enable strong encryption suites. A solid configuration secures your clients from MITM threats.
By implementing these guidelines, your web server will be encrypted with a free Let's Encrypt certificate, guaranteeing integrity for every request.