Configuring the free SSL provider for your HTTP server is now a standard practice for any webmaster. This guide outlines the core configurations to set up a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before starting the configuration, ensure your VPS has a reachable domain pointing to it. You will need root access and a HTTP daemon like Nginx. The Let's Encrypt client package must be added via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the verification process. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your document root.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your virtual host to point to the key and certificate files. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS rewriting from HTTP to HTTPS. A permanent redirect is recommended. For Apache, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. Certbot installs a systemd timer to refresh them on a regular basis. To verify the renewal process, run: `sudo certbot renew --dry-run`. Monitor your certbot logs for issues. If the renewal fails, troubleshoot for DNS issues.
Security Hardening (Optional but Recommended)
To improve security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove SSLv3 and get more info enable modern ciphers. A robust configuration protects your visitors from vulnerabilities.
By adhering to these guidelines, your application will be encrypted with a free Let's Encrypt certificate, providing privacy for every request.