Configuring Let's Encrypt for your web server is now a more info critical task for any website operator. This guide outlines the key procedures to set up a secure certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your VPS has a DNS record pointing to it. You will need sudo privileges and a web server like Nginx. The Certbot package must be installed via your distribution's package manager. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the ACME challenge. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a token in your public folder.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your server block to reference the SSL file locations. For Apache, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS forwarding from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. Certbot installs a cron job to renew them automatically. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Monitor your server logs for warnings. If the renewal fails, investigate for port 80 issues.
Security Hardening (Optional but Recommended)
To boost security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, disable outdated TLS versions and enable strong encryption suites. A secure configuration protects your visitors from downgrade attacks.
By following these steps, your web server will be encrypted with a automated Let's Encrypt certificate, providing privacy for every session.