Configuring Let's Encrypt for your hosting platform is now a standard practice for any webmaster. This guide outlines the essential steps to set up a secure certificate using Certbot.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your machine has a reachable domain pointing to it. You will need sudo privileges and a HTTP daemon like Nginx. The Let's Encrypt client package must be added via your apt or yum. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the standalone plugin. For Nginx, the `--apache` or `--nginx` plugin can automatically modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your document root.
Web Server Configuration Adjustments
After obtaining the certificate, you must modify your server block to point to the SSL file locations. For Nginx, the standard directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A 301 get more info redirect is best practice. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. Certbot installs a scheduled task to refresh them on a regular basis. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your server logs for errors. If the renewal fails, troubleshoot for DNS issues.
Security Hardening (Optional but Recommended)
To boost security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, disable outdated TLS versions and prefer modern ciphers. A secure configuration safeguards your users from downgrade attacks.
By implementing these instructions, your site will be protected with a cost-effective Let's Encrypt certificate, guaranteeing privacy for every session.