Configuring Let's Encrypt for your web server is now a fundamental step for any site owner. This guide outlines the core configurations to deploy a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before beginning the configuration, verify your machine has a public IP pointing to it. You will need sudo privileges and a web server like Nginx. The Certbot package must be set up via your apt or yum. For example, on Ubuntu, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the verification process. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates more info a validation file in your web directory.
Web Server Configuration Adjustments
After obtaining the certificate, you must update your virtual host to reference the SSL file locations. For Apache, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS redirection from HTTP to HTTPS. A 301 redirect is standard. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. Certbot configures a systemd timer to update them on a regular basis. To verify the renewal process, run: `sudo certbot renew --dry-run`. Monitor your certbot logs for issues. If the renewal encounters a problem, troubleshoot for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove SSLv3 and enable strong encryption suites. A robust configuration secures your clients from MITM threats.
By adhering to these guidelines, your web server will be protected with a free Let's Encrypt certificate, ensuring trust for every session.