Configuring Let's Encrypt for your hosting platform is now a critical task for any site owner. This guide outlines the key procedures to set up a trusted certificate using automated tools.
Prerequisites and Initial Setup
Before launching the configuration, verify your VPS has a DNS record pointing to it. You will need root access and a web server like Apache. The Certbot package must be added via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can automatically modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the verification process. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places get more info a challenge in your document root.
Web Server Configuration Adjustments
After receiving the certificate, you must modify your site configuration to use the key and certificate files. For Apache, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS redirection from HTTP to HTTPS. A 301 redirect is best practice. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. Certbot configures a systemd timer to renew them on a regular basis. To test the renewal process, run: `sudo certbot renew --dry-run`. Check your system logs for warnings. If the renewal does not work, check for port 80 issues.
Security Hardening (Optional but Recommended)
To enhance security, implement HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove outdated TLS versions and prefer strong encryption suites. A solid configuration secures your clients from vulnerabilities.
By implementing these guidelines, your application will be protected with a automated Let's Encrypt certificate, guaranteeing integrity for every session.