Configuring the free SSL provider for your HTTP server is now a critical task for any site owner. This guide outlines the essential steps to integrate a valid certificate using the official ACME client.
Prerequisites and Initial Setup
Before beginning the configuration, confirm your machine has a public IP pointing to it. You will need root access and a HTTP daemon like Apache. The Let's Encrypt client package must be set up via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.
Obtaining the Certificate
The most common method is to use the DNS plugin. For Nginx, the `--apache` or `--nginx` plugin can directly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This starts the domain validation. If you prefer the webroot approach, use: `sudo certbot check here certonly --webroot -w /var/www/html -d example.com`. This places a validation file in your document root.
Web Server Configuration Adjustments
After obtaining the certificate, you must tweak your site configuration to use the correct paths. For Apache, the usual directives are:
- ssl_certificate: `/etc/letsencrypt/live/example.com/fullchain.pem`
- SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`
Ensure you activate HTTPS rewriting from HTTP to HTTPS. A permanent redirect is best practice. For Apache, insert a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.
Automated Renewal and Verification
Let's Encrypt certificates last 90 days. The client sets up a scheduled task to refresh them without manual intervention. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Monitor your server logs for issues. If the renewal fails, investigate for firewall issues.
Security Hardening (Optional but Recommended)
To enhance security, enable HTTP Strict Transport Security (HSTS) by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your server block. Also, turn off outdated TLS versions and enable strong encryption suites. A solid configuration protects your users from vulnerabilities.
By implementing these steps, your site will be secured with a free Let's Encrypt certificate, guaranteeing integrity for every session.