Configuring Let's Encrypt for your HTTP server is now a standard practice for any webmaster. This guide outlines the key procedures to deploy a secure certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your VPS has a reachable domain pointing to it. You will need sudo privileges and a HTTP daemon like Apache. The Let's Encrypt client package must be added via your apt or yum. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to more info use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can automatically modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the ACME challenge. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a token in your public folder.
Web Server Configuration Adjustments
After downloading the certificate, you must update your site configuration to point to the key and certificate files. For Apache, the usual directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS forwarding from HTTP to HTTPS. A 301 redirect is recommended. For Apache, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. The client sets up a systemd timer to refresh them automatically. To test the renewal process, run: `sudo certbot renew --dry-run`. Monitor your certbot logs for warnings. If the renewal fails, troubleshoot for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, consider STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove TLS 1.0 and use secure protocols. A robust configuration safeguards your visitors from downgrade attacks.
By following these guidelines, your application will be encrypted with a free Let's Encrypt certificate, providing privacy for every session.