Configuring Let's Encrypt for your hosting platform is now a critical task for any website operator. This guide outlines the essential steps to set up a valid certificate using the official ACME client.
Prerequisites and Initial Setup
Before launching the configuration, verify your VPS has a public IP pointing to it. You will need administrator rights and a web server like Nginx. The Certbot package must be set up via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can directly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your web directory.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your site configuration to reference the SSL file locations. For Nginx, the typical directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. Certbot installs a scheduled task to update them without manual intervention. To test the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for issues. If the renewal does check here not work, investigate for firewall issues.
Security Hardening (Optional but Recommended)
To improve security, implement STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove outdated TLS versions and use modern ciphers. A solid configuration protects your users from MITM threats.
By adhering to these steps, your site will be protected with a cost-effective Let's Encrypt certificate, providing trust for every request.