Configuring Let's Encrypt for your hosting platform is now a fundamental step for any webmaster. This guide outlines the essential steps to set up a valid certificate using Certbot.
Prerequisites and Initial Setup
Before launching the configuration, verify your machine has a reachable domain pointing to it. You will need administrator rights and a web server like Caddy. The Let's Encrypt client package must be installed via your distribution's package manager. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the webroot plugin. For Nginx, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the verification process. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a token in your web directory.
Web Server Configuration Adjustments
After downloading the certificate, you must tweak your server block to use the key and website certificate files. For Nginx, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS rewriting from HTTP to HTTPS. A 301 redirect is recommended. For Nginx, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a systemd timer to update them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your server logs for errors. If the renewal fails, investigate for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, consider HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, remove outdated TLS versions and use strong encryption suites. A robust configuration secures your clients from downgrade attacks.
By implementing these guidelines, your site will be protected with a free Let's Encrypt certificate, ensuring trust for every connection.