Let’s Encrypt is a free SSL/TLS certificate provider that allows you to easily secure your website. Here’s how to secure Apache with Let’s Encrypt on Debian 10.
How To Secure Apache with Let’s Encrypt on Debian 10
Here are the steps to secure Apache with Let’s Encrypt on Debian 10, Debian 9 and Ubuntu Linux.
1. Install Certbot
Let’s Encrypt provides an automated tool called Certbot that automatically obtains and renews Let’s Encrypt SSL certificates.
Open terminal and run the following command
sudo apt update sudo apt install certbot
Bonus Read : How to Set CORS in Apache
2. Setup SSL Configuration in Apache
Certbot needs to find a ServerName directive that matches the domain for which you are obtaining SSL certificate. Let’s say you want to obtain SSL certificate for example.com domain. Open the virtual host configuration file for your domain example.com
$ sudo vi /etc/apache2/sites-available/example.com.conf
Ensure that ServerName directive points to your domain (example.com)
ServerName example.com
Restart Apache
$ sudo systemctl reload apache2
Before proceeding further, please ensure that you have allowed HTTPS traffic in your firewall for port 443.
Bonus Read : How to Install Apache mod_security in Ubuntu
3. Obtain SSL Certificate
Run the following command to obtain single SSL certificate for both example.com and www.example.com, from the same directory that contains your virtual host file (/etc/apache2/sites-available/)
$ sudo certbot certonly --agree-tos --email admin@example.com -d example.com -d www.example.com
In the above command, replace admin@example.com with your website administrator’s email address.
certbot will begin communicating with Let’s Encrypt server to get the SSL certificate, after it runs a security challenge to verify that you actually control the domain for which you are requesting SSL certificate.
If Let’s Encrypt gets SSL certificate you will see the following message
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-12-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Bonus Read : How to Install SSL Certificate for Apache Windows
4. Update Virtual Host Configuration File
The above message contains the paths to your SSL certificate and key files. Open virtual host configuration file to add these paths.
$ sudo vi /etc/apache2/sites-available/example.com.conf
Add the following lines in VirtualHost * : 443 tag before </VirtualHost> line.
SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Your VirtualHost block will look something like this
<VirtualHost *:443> ServerName example.com ServerAlias www.example.com ... SSLEngine On SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem ... </VirtualHost>
Bonus Read : How to Generate CSR for SSL Certificate in Linux
5. Test Apache Configuration and Restart Server
Run the following command to test Apache server configuration
$ sudo apachectl configtest
If you don’t see any error, restart Apache web server.
$ sudo service apache2 restart
Now you have installed Let’s Encrypt SSL certificate in Apache web server. Open a browser and visit https:// version of your domain (e.g https://www.example.com).
You will see a lock symbol next to your URL, in browser’s address bar, indicating that your website’s SSL/TLS certificate is working properly.
Hopefully, now you can Secure Apache with Let’s Encrypt SSL certificate in Apache for Debian/Ubuntu as well as other Linux systems.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!
