Configuring Let's Encrypt for your HTTP server is now a fundamental step for any website operator. This guide outlines the essential steps to integrate a valid certificate using Certbot.
Prerequisites and Initial Setup
Before starting the configuration, ensure your machine has a public IP pointing to it. You will need administrator rights and a HTTP daemon like Apache. The Certbot package must be added via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the ACME challenge. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a token more info in your web directory.
Web Server Configuration Adjustments
After downloading the certificate, you must modify your server block to use the SSL file locations. For Nginx, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS forwarding from HTTP to HTTPS. A permanent redirect is standard. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. The client configures a scheduled task to renew them without manual intervention. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for warnings. If the renewal encounters a problem, troubleshoot for port 80 issues.
Security Hardening (Optional but Recommended)
To improve security, implement HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove outdated TLS versions and use secure protocols. A solid configuration secures your visitors from downgrade attacks.
By following these steps, your site will be encrypted with a cost-effective Let's Encrypt certificate, providing integrity for every request.