Configuring LetsEncrypt for your HTTP server is now a fundamental step for any webmaster. This guide outlines the core configurations to deploy a valid certificate using automated tools.
Prerequisites and Initial Setup
Before starting the configuration, ensure your server has a public IP pointing to it. You will need sudo privileges and a web server like Apache. The Let's Encrypt client package must be installed via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can automatically modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the verification process. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a validation file in your web directory.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your virtual host to use the SSL file locations. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS rewriting from HTTP to HTTPS. A permanent redirect is best practice. For Apache, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates here expire 90 days. The client installs a systemd timer to update them without manual intervention. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for warnings. If the renewal fails, check for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove TLS 1.0 and use secure protocols. A secure configuration secures your clients from vulnerabilities.
By implementing these instructions, your site will be protected with a cost-effective Let's Encrypt certificate, providing privacy for every request.