Configuring the free SSL provider for your HTTP server is now a critical task for any webmaster. This guide outlines the core configurations to set up a valid certificate using Certbot.
Prerequisites and Initial Setup
Before starting the configuration, confirm your VPS has a reachable domain pointing to it. You will need administrator rights and a HTTP daemon like Nginx. The Let's Encrypt client package must be installed via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install website certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the verification process. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your document root.
Web Server Configuration Adjustments
After receiving the certificate, you must update your virtual host to use the key and certificate files. For Apache, the typical directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS rewriting from HTTP to HTTPS. A 301 redirect is best practice. For Apache, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. Certbot configures a cron job to renew them without manual intervention. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your server logs for errors. If the renewal does not work, check for port 80 issues.
Security Hardening (Optional but Recommended)
To improve security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, turn off SSLv3 and enable modern ciphers. A robust configuration secures your visitors from MITM threats.
By adhering to these guidelines, your application will be protected with a cost-effective Let's Encrypt certificate, providing privacy for every session.