Configuring the free SSL provider for your HTTP server is now a standard practice for any site owner. This guide outlines the core configurations to integrate a trusted certificate using automated tools.
Prerequisites and Initial Setup
Before beginning the configuration, verify your VPS has a reachable domain pointing to it. You will need sudo letsencrypt webserver configuration privileges and a HTTP daemon like Apache. The Let's Encrypt client package must be installed via your distribution's package manager. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the standalone plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the verification process. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a token in your web directory.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your server block to reference the correct paths. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS forwarding from HTTP to HTTPS. A 301 redirect is standard. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. The client configures a scheduled task to refresh them without manual intervention. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for issues. If the renewal does not work, troubleshoot for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, consider HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, turn off outdated TLS versions and enable secure protocols. A secure configuration secures your visitors from vulnerabilities.
By implementing these steps, your site will be secured with a automated Let's Encrypt certificate, ensuring integrity for every request.