How To Secure Apache with Let’s Encrypt on Debian 11

In this article, we want to teach you How to secure and install Apache with Let’s Encrypt on Debian 11.

Let’s Encrypt is a free certificate authority developed by the Internet Security Research Group (ISRG).

Let’s Encrypt provide two types of certificates. The standard single-domain SSL and the Wildcard SSL, cover all of its subdomains.

Steps To Secure Apache with Let’s Encrypt on Debian 11

You need some requirements before you start to secure your Apache with Let’s Encrypt on Debian 11.

You need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. to do this you can check our article about the Initial server setup with Debian 11.

Also, you should install Apache and set up a virtual host file for your domain. you can visit this article about How to install an Apache web server on Debian 11.

When you are done with these requirements you can start to install certbot on Debian 11.

Install Certbot on Debian 11

The first step to getting an SSL certificate with Let’s Encrypt is to install the Certbot software on your server.

By default, certbot is not available in the Debian repositories. you need to install a snappy package manager developed for Linux systems that install packages in a format referred to as snaps.

To install certbot as a “snap” on Debian 11, you should install snapd first.

Run the following command to update the APT packages:

sudo apt update

Then, run the command below to install snapd:

sudo apt install snapd

After this, you need to install some dependencies on your server that are needed for any snap you install, including the Certbot snap.

Now use the snap command to install the core snap:

sudo snap install core

Then, refresh the core snap with the following command:

sudo snap refresh core

At this point, you can install the certbot snap with the following command:

sudo snap install --classic certbot

This installation process will install the certbot executable in the /snap/bin/ directory.

You need to create a symbolic link to this file in the /usr/bin/ directory to make sure that you can run the certbot command on your system:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certbot is now ready to use. but first, you need to be sure that your Apache has been configured correctly.

Verify Apache Configuration to Set up the SSL Certificate

Certbot needs to find the correct virtual host in your Apache configuration to automatically configure SSL.

You need to open the virtual host file for your domain with your favorite text editor to check the ServerName that matches the domain you request a certificate for.

sudo vi /etc/apache2/sites-available/your_domain.conf

Find the ServerName line and make sure that it is pointing to your domain name.

...
ServerName your_domain;
...

Then save and close your file.

Now verify the syntax of your configuration edits with the following command:

sudo apache2ctl configtest

In your output, you should see:

...
Syntax OK

Note: If you get an error, open the virtual host file again and check for any typos or missing characters.

Then, reload the Apache for a new configuration with the following command:

sudo systemctl reload apache2

At this point, certbot can find the correct virtual host block and update it.

Configure Firewall

Also, you need to update the firewall to allow HTTPS traffic.

We assumed that you are done with the requirements for the setting up ufw firewall.

See the current settings with the following command:

sudo ufw status

To allow HTTPS traffic run the command below and after that delete the “WWW” profile:

sudo ufw allow 'WWW Full'
sudo ufw delete allow 'WWW'

Now check the UFW status:

sudo ufw status
Output
Status: active
To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
WWW Full                   ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
WWW Full (v6)              ALLOW       Anywhere (v6)        

Now you can get an SSL certificate with Let’s Encrypt on Debian 11.

Get an SSL certificate with Let’s Encrypt

The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary.

Certbot Apache Debian 11

Use this plugin to get your SSL certificate with Let’s Encrypt.

sudo certbot --apache -d your_domain

You will be asked some questions. the first is to enter your email address. from here you can press y and enter to continue.

If that’s successful, the configuration will be updated automatically and Apache will reload to pick up the new settings.

In your output, you will see:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for apache.orcacore.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache.orcacore.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache.orcacore.net/privkey.pem
This certificate expires on 2021-12-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for apache.orcacore.net to /etc/apache2/sites-available/apache.orcacore.net-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://apache.orcacore.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can reload your website by using https://your_domain_name and you should see the lock icon in your browser.

Also, you can test your server by using the SSL Labs Server Test. You will get an A grade Like the image below.

SSL certificate- secure apache on Debian 11

Let’s Encrypt certificates are only valid for ninety days. you can run a script to /etc/cron.d. This will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.

Run the command below to test the renewal process:

sudo certbot renew --dry-run

In your output, you will see:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/apache.orcacore.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for apache.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/apache.orcacore.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Conclusion of Securing Apache with Let’s Encrypt on Debian 11

At this point, you learn to install the Let’s Encrypt client certbot, get an SSL certificate for your domain, configured Apache to use these certificates and set up automatic certificate renewal.

Hope you enjoy this article about How to secure Apache with Let’s Encrypt on Debian 11.

Also, you can read the below articles on the Orcacore website:

Secure Apache with Let’s Encrypt on Ubuntu 20.04

How to Secure Apache with Let’s Encrypt on CentOS 7

How To Secure Nginx with Let’s Encrypt on CentOS 7

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!