How To Secure Apache with Let’s Encrypt on Debian 10

Sreeram Sreenivasan

Last updated on August 10th, 2020 at 03:05 am

Let’s Encrypt is a free SSL/TLS certificate provider that allows you to easily secure your website. Here’s how to secure Apache with Let’s Encrypt on Debian 10.

 

How To Secure Apache with Let’s Encrypt on Debian 10

Here are the steps to secure Apache with Let’s Encrypt on Debian 10, Debian 9 and Ubuntu Linux.

 

1. Install Certbot

Let’s Encrypt provides an automated tool called Certbot that automatically obtains and renews Let’s Encrypt SSL certificates.

Open terminal and run the following command

sudo apt update
sudo apt install certbot

Bonus Read : How to Set CORS in Apache

 

2. Setup SSL Configuration in Apache

Certbot needs to find a ServerName directive that matches the domain for which you are obtaining SSL certificate. Let’s say you want to obtain SSL certificate for example.com domain. Open the virtual host configuration file for your domain example.com

$ sudo vi /etc/apache2/sites-available/example.com.conf

Ensure that ServerName directive points to your domain (example.com)

ServerName example.com

Restart Apache

$ sudo systemctl reload apache2

 

Before proceeding further, please ensure that you have allowed HTTPS traffic in your firewall for port 443.

Bonus Read : How to Install Apache mod_security in Ubuntu

 

3. Obtain SSL Certificate

Run the following command to obtain single SSL certificate for both example.com and www.example.com, from the same directory that contains your virtual host file (/etc/apache2/sites-available/)

$ sudo certbot certonly --agree-tos --email admin@example.com -d example.com -d www.example.com

In the above command, replace admin@example.com with your website administrator’s email address.

certbot will begin communicating with Let’s Encrypt server to get the SSL certificate, after it runs a security challenge to verify that you actually control the domain for which you are requesting SSL certificate.

If Let’s Encrypt gets SSL certificate you will see the following message

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-12-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Bonus Read : How to Install SSL Certificate for Apache Windows

 

4. Update Virtual Host Configuration File

The above message contains the paths to your SSL certificate and key files. Open virtual host configuration file to add these paths.

$ sudo vi /etc/apache2/sites-available/example.com.conf

 

Add the following lines in VirtualHost * : 443 tag before </VirtualHost> line.

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

 

Your VirtualHost block will look something like this

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
...

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

...

</VirtualHost>

Bonus Read : How to Generate CSR for SSL Certificate in Linux

 

5. Test Apache Configuration and Restart Server

Run the following command to test Apache server configuration

$ sudo apachectl configtest

If you don’t see any error, restart Apache web server.

$ sudo service apache2 restart

Now you have installed Let’s Encrypt SSL certificate in Apache web server. Open a browser and visit https:// version of your domain (e.g https://www.example.com).

You will see a lock symbol next to your URL, in browser’s address bar, indicating that your website’s SSL/TLS certificate is working properly.

example.com https ssl tls

Hopefully, now you can Secure Apache with Let’s Encrypt SSL certificate in Apache for Debian/Ubuntu as well as other Linux systems.

Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!

Related posts:

How to Generate CSR for SSL Certificate in Linux
Apache Deny Access to URL, Files & Directory
How To Increase Max Connections in Apache
How To Create a Self-Signed SSL Certificate for Apache in Ubuntu/Debian