Configuring LetsEncrypt for your web server is now a standard practice for any site owner. This guide outlines the essential steps to deploy a trusted certificate using automated tools.
Prerequisites and Initial Setup
Before launching the configuration, ensure your server has a public IP pointing to it. You will need root access and a HTTP daemon like Nginx. The Let's Encrypt client package must be set up via your distribution's package manager. For example, on letsencrypt webserver configuration CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the webroot plugin. For Nginx, the `--apache` or `--nginx` plugin can seamlessly modify your server block. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the domain validation. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your document root.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your server block to use the SSL file locations. For Apache, the usual directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A permanent redirect is standard. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. The client sets up a systemd timer to renew them automatically. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your system logs for errors. If the renewal encounters a problem, check for firewall issues.
Security Hardening (Optional but Recommended)
To boost security, enable HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, disable SSLv3 and use strong encryption suites. A secure configuration protects your visitors from downgrade attacks.
By adhering to these guidelines, your site will be secured with a automated Let's Encrypt certificate, guaranteeing trust for every connection.