May 26, 2026  |    Leave a comment  |    Home

Mastering Let's Encrypt for Your Web Server: A Practical Configuration Guide

Configuring LetsEncrypt for your web server is now a fundamental step for any site owner. This guide outlines the essential steps to set up a trusted certificate using the official ACME client.

Prerequisites and Initial Setup

Before launching the configuration, ensure your VPS has a reachable domain pointing to it. You will need administrator rights and a HTTP daemon like Nginx. The Certbot package must be installed via your OS repository. For example, on CentOS, run: `sudo apt install certbot` or `sudo yum install certbot`.

Obtaining the Certificate

The recommended method is to use more info the DNS plugin. For Apache, the `--apache` or `--nginx` plugin can seamlessly modify your virtual host. Run: `sudo certbot --apache -d example.com -d www.example.com`. This initiates the ACME challenge. If you prefer a non-intrusive method, use: `sudo certbot certonly --webroot -w /var/www/html -d example.com`. This deposits a challenge in your public folder.

Web Server Configuration Adjustments

After downloading the certificate, you must update your site configuration to use the SSL file locations. For Nginx, the typical directives are:

  • SSLCertificateFile: `/etc/letsencrypt/live/example.com/fullchain.pem`
  • SSLCertificateKeyFile: `/etc/letsencrypt/live/example.com/privkey.pem`

Ensure you turn on HTTPS redirection from HTTP to HTTPS. A permanent redirect is standard. For Apache, include a `return 301 https://$host$request_uri;` or use `RewriteEngine On` with `RewriteRule`.

Automated Renewal and Verification

Let's Encrypt certificates are valid for 90 days. The client configures a cron job to refresh them automatically. To simulate the renewal process, run: `sudo certbot renew --dry-run`. Review your certbot logs for errors. If the renewal fails, troubleshoot for firewall issues.

Security Hardening (Optional but Recommended)

To improve security, implement STS headers by adding `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;` in your location block. Also, remove SSLv3 and enable strong encryption suites. A robust configuration protects your visitors from MITM threats.

By following these steps, your web server will be secured with a free Let's Encrypt certificate, providing trust for every request.

Leave a Reply

Your email address will not be published. Required fields are marked *