Configuring the free SSL provider for your web server is now a standard practice for any website operator. This guide outlines the key procedures to set up a valid certificate using Certbot.
Prerequisites and Initial Setup
Before starting the configuration, ensure your machine has a public IP pointing to it. You will need administrator rights and a HTTP daemon like Apache. The Certbot package must be added via your apt or yum. For example, on here Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can automatically modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the domain validation. If you prefer manual control, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This creates a challenge in your public folder.
Web Server Configuration Adjustments
After receiving the certificate, you must update your virtual host to reference the SSL file locations. For Nginx, the typical directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS rewriting from HTTP to HTTPS. A permanent redirect is best practice. For Apache, add a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client sets up a systemd timer to renew them automatically. To test the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for warnings. If the renewal fails, investigate for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, implement STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove TLS 1.0 and enable modern ciphers. A robust configuration secures your clients from vulnerabilities.
By following these steps, your application will be protected with a cost-effective Let's Encrypt certificate, providing trust for every session.