Let’s Encrypt is a free, non-profit certificate authority dedicated to promoting widespread HTTPS adoption, fostering a more secure and privacy-respecting internet. Its certificates are valid for 90 days and can be renewed at any time. By automating the processes of certificate creation, validation, signing, installation, and renewal, Let’s Encrypt significantly reduces the complexity of configuring and maintaining TLS encryption. This article provides a detailed guide on configuring Let’s Encrypt SSL/TLS certificates on Hong Kong server using NGINX, ensuring a clear, logical, and highly feasible approach suitable for users of Hong Kong VPS and Hong Kong cloud servers.
## Steps to Configure Let’s Encrypt SSL/TLS Certificates
Below are the detailed steps to configure Let’s Encrypt SSL/TLS certificates on Hong Kong servers using NGINX, covering two common methods: HTTP-01 validation and DNS-01 validation.
### Method 1: HTTP-01 Validation (Suitable for Domains Pointing to the Server’s IP)
1. **Install Certbot**
Certbot is the official Let’s Encrypt client for automating the acquisition and deployment of SSL certificates. On Hong Kong VPS or Hong Kong servers running Ubuntu, install Certbot and its NGINX plugin with the following commands:
“`bash
sudo apt update
sudo apt install certbot python3-certbot-nginx
“`
2. **Configure NGINX**
Ensure your NGINX configuration includes the `server_name` directive pointing to the domain you want to secure. For example, in `/etc/nginx/sites-available/your-site`, configure as follows:
“`nginx
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/html;
}
“`
Save the file, then validate and reload the NGINX configuration:
“`bash
sudo nginx -t
sudo systemctl reload nginx
“`
3. **Obtain the SSL/TLS Certificate**
Use Certbot’s NGINX plugin to automatically generate the certificate and configure NGINX:
“`bash
sudo certbot –nginx -d yourdomain.com -d www.yourdomain.com
“`
Follow the prompts to enter your email address and agree to the terms of service. Certbot will automatically obtain the certificate and update the NGINX configuration to enable HTTPS.
4. **Automate Certificate Renewal**
Let’s Encrypt certificates are valid for 90 days, and Certbot configures automatic renewal by default. Test the renewal process with:
“`bash
sudo certbot renew –dry-run
“`
For manual renewal, run:
“`bash
sudo certbot renew
“`
### Method 2: DNS-01 Validation (Suitable for Wildcard Certificates or Servers Without Public IPs)
1. **Install Certbot**
Ensure Certbot is installed on your Hong Kong server:
“`bash
sudo apt-get update
sudo apt-get install certbot
“`
2. **Generate DNS-01 Validation Challenge**
Run the following Certbot command to generate the TXT record required for DNS-01 validation:
“`bash
sudo certbot certonly –manual –preferred-challenges dns -d yourdomain.com -d *.yourdomain.com
“`
Certbot will provide a TXT record value, such as `_acme-challenge.yourdomain.com`, along with the corresponding string.
3. **Add the TXT Record**
Log in to your DNS provider’s management console and add a TXT record in the domain’s DNS settings. Set the record name to `_acme-challenge.yourdomain.com` and the value to the string provided by Certbot. Save the changes and wait for the DNS record to propagate (typically a few minutes).
4. **Verify the DNS Record**
Check if the TXT record has propagated correctly using:
“`bash
nslookup -q=TXT _acme-challenge.yourdomain.com
“`
Ensure the returned TXT value matches the one provided by Certbot.
5. **Complete Validation and Obtain the Certificate**
Return to the Certbot command-line interface and press Enter to continue. Certbot will verify the TXT record and issue the certificate upon successful validation. Certificates are typically stored in `/etc/letsencrypt/live/yourdomain.com/`.
6. **Configure NGINX to Use the Certificate**
Edit the NGINX configuration to include SSL settings. For example:
“`nginx
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
root /var/www/html;
}
“`
Save the file, then validate and reload NGINX:
“`bash
sudo nginx -t
sudo systemctl reload nginx
“`
7. **Automate Renewal (Optional)**
If your DNS provider supports an API, you can use Certbot’s DNS plugin for automated renewals. For example, with Cloudflare:
“`bash
sudo certbot certonly –dns-cloudflare –dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d yourdomain.com
“`
Ensure the API credentials file (e.g., `cloudflare.ini`) is configured in advance.
## Conclusion
Using the methods outlined above, you can effortlessly configure Let’s Encrypt SSL/TLS certificates on Hong Kong VPS or Hong Kong servers with NGINX. HTTP-01 validation is ideal for domains already resolved to the server’s IP, while DNS-01 validation suits wildcard certificates or servers without public IPs. Certbot’s automation features streamline certificate management and renewal, ensuring your website on a Hong Kong server maintains a secure, encrypted connection.