Configuring the free SSL provider for your hosting platform is now a fundamental step for any website operator. This guide outlines the essential steps to deploy a trusted certificate using the official ACME client.
Prerequisites and Initial Setup
Before launching the configuration, ensure your VPS has a reachable domain pointing to it. You will need root access and a web server like Apache. The Let's Encrypt client package must be set up via your distribution's package manager. For example, on Debian, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The recommended method is to use the webroot plugin. For Apache, the `--apache` or `--nginx` plugin can directly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the verification process. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This places a token in your public folder.
Web Server Configuration Adjustments
After receiving the certificate, you must modify your virtual host to point to the SSL file locations. For Nginx, the typical directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- ssl_certificate_key: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A 301 redirect is standard. For Nginx, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client configures a scheduled task to renew them without manual intervention. To verify the renewal process, run: `sudo certbot renew --dry-run`. Check your system logs for warnings. If the renewal does not work, check for port 80 issues.
Security Hardening (Optional but Recommended)
To improve security, consider HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, disable TLS 1.0 and prefer modern ciphers. A secure configuration protects your users from downgrade attacks.
By following these instructions, your site will be encrypted with a read more cost-effective Let's Encrypt certificate, providing trust for every session.