Share your love
Secure Apache Web Server with Lets Encrypt on Debian 12
In this guide, we want to teach you to Secure Apache Web Server with Lets Encrypt on Debian 12. Let’s Encrypt is a free certificate authority. You need to install certbot on your Debian 12 and get your SSL certificates from Let’s Encrypt. Follow the steps below to complete this guide.
How To Secure Apache Web Server with Lets Encrypt on Debian 12?
Before you start to Secure Apache Web Server with Lets Encrypt on Debian 12, you need some requirements.
Requirements
You must have access to your server as a non-root user with sudo privileges. For this purpose, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.
Also, you must have Apache installed on your server and create a virtual host file. To do this, you can visit this guide on How To Install Apache Web Server on Debian 12.
Now follow the steps below to Secure Apache Web Server with Lets Encrypt on Debian 12.
Step 1 – Install Certbot on Debian 12 Bookworm
As we said, we use Certob to get our SSL certificate for Apache. The Certbot package is not available in the default Debian 12 repository. So we use the snap package manager to install it.
First, run the system update with the following command:
sudo apt update
Then, install Snap on Debian 12 by using the command below:
sudo apt install snapd -y
After this, you need to install some dependencies on your server that are needed for any snap you install, including the Certbot snap.
Now use the snap command to install the core snap:
sudo snap install core
Output
core 16-2.58.3 from Canonical✓ installed
Then, refresh the core snap with the following command:
sudo snap refresh core
At this point, you can install the certbot snap with the following command:
sudo snap install --classic certbot
Output
certbot 2.6.0 from Certbot Project (certbot-eff✓) installed
This installation process will install the certbot executable in the /snap/bin/ directory.
You need to create a symbolic link to this file in the /usr/bin/ directory to make sure that you can run the certbot command on your system:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Step 2 – Check Apache Web Server Configuration on Debian 12
Certbot needs to find the correct virtual host in your Apache configuration to automatically configure SSL.
You need to open the virtual host file for your domain with your favorite text editor to check the server name that matches the domain you request a certificate for:
sudo vi /etc/apache2/sites-available/example.com.conf
Find the ServerName line and make sure that it is pointing to your domain name.
...
ServerName your_domain;
...
Then save and close your file.
Now verify the syntax of your configuration edits with the following command:
sudo apache2ctl configtest
In your output, you should see:
...
Syntax OK
Note: If you get an error, open the virtual host file again and check for any typos or missing characters.
Then, reload the Apache for a new configuration with the following command:
sudo systemctl reload apache2
At this point, certbot can find the correct virtual host block and update it.
Step 3 – Configure Firewall For Apache
Also, you need to update the firewall to allow HTTPS traffic. We assumed that you are done with the requirements for the setting up ufw firewall.
See the current settings with the following command:
sudo ufw status
To allow HTTPS traffic run the command below and after that delete the “WWW” profile:
# sudo ufw allow 'WWW Full'
# Get sudo ufw delete allow 'WWW'
Now check the ufw status:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
WWW Full ALLOW Anywhere
OpenSSH ALLOW Anywhere
WWW Full (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
Now you can get an SSL certificate with Let’s Encrypt on Debian 12.
Step 4 – Generate SSL Certificates for Apache from Let’s Encrypt on Debian 12
The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary.
Certbot Apache Debian 12
You can now use this plugin to get your SSL certificate with Let’s Encrypt. To do this, run the command below:
sudo certbot --apache -d your_domain
You will be asked some questions. The first is to enter your email address. From here you can press y and enter to continue.
If that’s successful, the configuration will be updated automatically and Apache will reload to pick up the new settings.
In your output, you will see:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for apache.orcacore.net to /etc/apache2/sites-available/example.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You can reload your website by using https://your_domain_name and you should see the lock icon in your browser.
Also, you can test your server by using the SSL Labs Server Test. You will get an A grade from there.
Renew SSL Certificates
Let’s Encrypt certificates are only valid for 90 days. You can run a script to /etc/cron.d. This will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.
Run the command below to test the renewal process:
sudo certbot renew --dry-run
In your output, you will see:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Conclusion
At this point, you have learned to Secure Apache Web Server with Lets Encrypt on Debian 12. Also, you will learn to renew your SSL certificates.
Hope you enjoy it. Please subscribe to us on Facebook, Instagram, and Twitter.