Configuring the free SSL provider for your HTTP server is now a critical task for any site owner. This guide outlines the core configurations to integrate a secure certificate using the official ACME client.
Prerequisites and Initial Setup
Before beginning the configuration, ensure your machine has a DNS record pointing to it. You will need root access and a web server like Apache. The Let's Encrypt client package must be installed via your distribution's package manager. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your configuration file. Run: `sudo certbot --apache -d example.com -d www.example.com`. This triggers the domain validation. If you prefer the webroot approach, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a validation file in your web directory.
Web Server Configuration Adjustments
After obtaining the certificate, you must modify your server block to point read more to the key and certificate files. For Nginx, the typical directives are:
- SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you enable HTTPS redirection from HTTP to HTTPS. A permanent redirect is standard. For Nginx, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates are valid for 90 days. Certbot sets up a cron job to refresh them automatically. To verify the renewal process, run: `sudo certbot renew --dry-run`. Review your server logs for warnings. If the renewal fails, investigate for DNS issues.
Security Hardening (Optional but Recommended)
To enhance security, enable STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your virtual host. Also, remove SSLv3 and use strong encryption suites. A secure configuration secures your clients from downgrade attacks.
By adhering to these guidelines, your site will be protected with a free Let's Encrypt certificate, ensuring privacy for every session.