Secure Apache Web Server with Let’s Encrypt on Debian 12

In this guide, we want to teach you to Secure your Apache Web Server by generating SSL certificates with Let’s Encrypt on Debian 12 Bookworm. Let’s Encrypt is a free certificate authority. You need to install certbot on your Debian 12 and get your SSL certificates from Let’s Encrypt. Follow the steps below to complete this guide.

How To Secure Apache Web Server with Let’s Encrypt on Debian 12?

Before you start to Secure Apache Web Server, you need some requirements.

Requirements

You must have access to your server as a non-root user with sudo privileges. For this purpose, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.

Also, you must have Apache installed on your server and create a virtual host file. To do this, you can visit this guide on How To Install Apache Web Server on Debian 12.

Now follow the steps below to start generating SSL certificates for Apache on Debian 12.

Step 1 – Install Certbot on Debian 12 Bookworm

As we said, we use Certob to get our SSL certificate for Apache. The Certbot package is not available in the default Debian 12 repository. So we use the snap package manager to install it.

First, run the system update with the following command:

sudo apt update

Then, install Snap on Debian 12 by using the command below:

sudo apt install snapd
 -y

After this, you need to install some dependencies on your server that are needed for any snap you install, including the Certbot snap.

Now use the snap command to install the core snap:

sudo snap install core
Output
core 16-2.58.3 from Canonical✓ installed

Then, refresh the core snap with the following command:

sudo snap refresh core

At this point, you can install the certbot snap with the following command:

sudo snap install --classic certbot
Output
certbot 2.6.0 from Certbot Project (certbot-eff✓) installed

This installation process will install the certbot executable in the /snap/bin/ directory.

You need to create a symbolic link to this file in the /usr/bin/ directory to make sure that you can run the certbot command on your system:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2 – Check Apache Web Server Configuration on Debian 12

Certbot needs to find the correct virtual host in your Apache configuration to automatically configure SSL.

You need to open the virtual host file for your domain with your favorite text editor to check the server name that matches the domain you request a certificate for:

sudo vi /etc/apache2/sites-available/example.com.conf

Find the ServerName line and make sure that it is pointing to your domain name.

...
ServerName your_domain;
...

Then save and close your file.

Now verify the syntax of your configuration edits with the following command:

sudo apache2ctl configtest

In your output, you should see:

...
Syntax OK

Note: If you get an error, open the virtual host file again and check for any typos or missing characters.

Then, reload the Apache for a new configuration with the following command:

sudo systemctl reload apache2

At this point, certbot can find the correct virtual host block and update it.

Step 3 – Configure Firewall For Apache

Also, you need to update the firewall to allow HTTPS traffic. We assumed that you are done with the requirements for the setting up ufw firewall.

See the current settings with the following command:

sudo ufw status

To allow HTTPS traffic run the command below and after that delete the “WWW” profile:

# sudo ufw allow 'WWW Full'
# Get sudo ufw delete allow 'WWW'

Now check the ufw status:

sudo ufw status
Output
Status: active

To                         Action      From
--                         ------      ----
WWW Full                   ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
WWW Full (v6)              ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Now you can get an SSL certificate with Let’s Encrypt on Debian 12.

Step 4 – Generate SSL Certificates for Apache from Let’s Encrypt on Debian 12

The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary.

Certbot Apache Debian 12

You can now use this plugin to get your SSL certificate with Let’s Encrypt. To do this, run the command below:

sudo certbot --apache -d your_domain

You will be asked some questions. The first is to enter your email address. From here you can press y and enter to continue.

If that’s successful, the configuration will be updated automatically and Apache will reload to pick up the new settings.

In your output, you will see:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires 
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for apache.orcacore.net to /etc/apache2/sites-available/example.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can reload your website by using https://your_domain_name and you should see the lock icon in your browser.

Also, you can test your server by using the SSL Labs Server Test. You will get an A grade from there.

Renew SSL Certificates

Let’s Encrypt certificates are only valid for 90 days. You can run a script to /etc/cron.d. This will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.

Run the command below to test the renewal process:

sudo certbot renew --dry-run

In your output, you will see:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Conclusion

At this point, you have learned to Secure your Apache Web Server by generating SSL certificates with Let’s Encrypt on Debian 12 Bookworm. Also, you will learn to renew your SSL certificates.

Hope you enjoy it. Please subscribe to us on Facebook, Instagram, and Twitter.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular