Configuring the free SSL provider for your web server is now a critical task for any webmaster. This guide outlines the essential steps to deploy a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before starting the configuration, ensure your machine more info has a DNS record pointing to it. You will need administrator rights and a HTTP daemon like Nginx. The Certbot package must be added via your apt or yum. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The simplest method is to use the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can directly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a challenge in your document root.
Web Server Configuration Adjustments
After downloading the certificate, you must update your server block to use the SSL file locations. For Apache, the standard directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you turn on HTTPS rewriting from HTTP to HTTPS. A 301 redirect is best practice. For Apache, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates expire 90 days. Certbot sets up a scheduled task to renew them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Check your system logs for warnings. If the renewal fails, troubleshoot for firewall issues.
Security Hardening (Optional but Recommended)
To boost security, consider HSTS by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, turn off TLS 1.0 and enable modern ciphers. A robust configuration secures your users from vulnerabilities.
By following these steps, your site will be secured with a automated Let's Encrypt certificate, guaranteeing trust for every request.