Configuring Let's Encrypt for your HTTP server is now a fundamental step for any webmaster. This guide outlines the essential steps to set up a valid certificate using Certbot.
Prerequisites and Initial Setup
Before launching the configuration, verify your machine has a reachable domain pointing to it. You will need root access and a HTTP daemon like Apache. The Let's Encrypt client package must be added via your apt or yum. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the DNS plugin. For website Nginx, the `--apache` or `--nginx` plugin can automatically modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the verification process. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your document root.
Web Server Configuration Adjustments
After receiving the certificate, you must modify your virtual host to point to the key and certificate files. For Apache, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A 301 redirect is standard. For Nginx, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a scheduled task to update them without manual intervention. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for issues. If the renewal encounters a problem, check for port 80 issues.
Security Hardening (Optional but Recommended)
To boost security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, turn off SSLv3 and enable secure protocols. A secure configuration safeguards your clients from MITM threats.
By implementing these steps, your site will be protected with a cost-effective Let's Encrypt certificate, ensuring integrity for every connection.