Share your love
How To Secure Apache with Let’s Encrypt on Debian 10
In this article, we want to teach you How To Secure Apache with Let’s Encrypt on Debian 10. Let’s Encrypt is a Certificate Authority (CA) that lets you get and install free TLS/SSL certificates by enabling encrypted HTTPS on web servers. Now proceed to the following steps to learn How To Secure Apache with Let’s Encrypt on Debian 10.
Learn To Secure Apache with Let’s Encrypt on Debian 10
Before you start to get your TLS/SSL certificates you need some requirements first. Let’s see what we need.
Requirements
You need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this you can check the Initial Server Setup article for Debian 10.
You need a valid domain name that is pointed to your server’s IP address.
Also, you need to install Apache and set up its virtual hosts. In this article about How to install LAMP Stack on Debian 10, we completely explain it you can check it and then continue this guide.
Step 1 – How To Install Certbot on Debian 10
Here you need to install the certbot software on your Debian 10 server to get an SSL certificate from Let’s Encrypt.
Note: Certbot is not available in the Debian default repositories. because of this, we use Snappy which is a package manager developed for Linux systems that install packages in a format referred to as snaps.
At this point, to install certbot as a snap on Debian 10, you need to install snapd on your server first.
Update the APT packages with the following command:
sudo apt update
Then, install snapd with the following command:
sudo apt install snapd
Here you need to install some dependencies on your server that are needed for any snap you install with the following command:
sudo snap install core
Refresh the core with the following command:
sudo snap refresh core
Now you can install certbot snap on Debian 10 with the following command:
sudo snap install --classic certbot
This will install the certbot executable in the /snap/bin/ directory.
Here you need to create a symbolic link to this file in the /usr/bin/ directory to be sure that you can run the certbot command anywhere on your system. Run the following command:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certbot is now ready to use to get your SSL certificate for Apache.
But before this, you need to verify that Apache has been configured correctly.
Step 2 – Configure Apache and Adjust the Firewall on Debian 10
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure the SSL certificate.
At this point, you can check the virtual host file for your domain with the following command:
Here we use vi text editor you can choose your favorite text editor.
Also, remember to replace the domain name with your own.
sudo vi /etc/apache2/sites-available/apache.orcacore.net.conf
Find the ServerName line. It should look like this with your domain name:
...
ServerName apache.orcacore.net
...
If it doesn’t fill with your domain name, update it and put your domain name instead of it. When you are finished save and close the file.
Now check for no syntax errors with the following command:
sudo apache2ctl configtest
Output
. . .
Syntax OK
If you get an error, open the file again and check for any typos or missing characters.
Now you need to reload Apache for new configuration changes with the following command:
sudo systemctl reload apache2
Now you need to update the firewall to allow HTTPS traffic. We assumed that you enabled the UFW firewall from the requirements. See the current settings with the following command:
sudo ufw status
If you followed the installation of Apache from the requirements your output should be similar to this:
Output
Status: active
To Action From
-- ------ ----
WWW Full ALLOW Anywhere
...
WWW Full (v6) ALLOW Anywhere (v6)
...
Note: If you see just the WWW profile, you should enable the “WWW full” profile with the following command;
sudo ufw allow 'WWW Full'
Then, delete the WWW profile allowance with the following command:
sudo ufw delete allow 'WWW'
Now you can run certbot and fetch your certificates.
Step 3 – How to Get an SSL Certificate – Secure Apache with Let’s Encrypt on Debian 10
You can use certbot to get an SSL certificate through plugins.
To use the Apache plugin run the following command:
sudo certbot --apache -d apache.orcacore.net -d www.apache.orcacore.net
For a single domain, run the following command instead:
sudo certbot --apache -d apache.orcacore.net
You will be asked to enter your email address. then agree with the terms of service.
Also, you will be asked to share your email address with the Electronic Frontier Foundation. It depends on whether you press N or Y to continue.
Your output should be similar to this:
Output
Requesting a certificate for apache.orcacore.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache.orcacore.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache.orcacore.net/privkey.pem
This certificate expires on 2021-12-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for apache.orcacore.net to /etc/apache2/sites-available/apache.orcacore.net-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://apache.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
At this point, your certificates are downloaded, installed, and loaded.
Now you can reload your website:
https://apache.orcacore.net
You will see the lock icon in your web browser.
Also, you can test your server with SSL Labs Server Test, which will give you an A grade.
Let’s finish by testing the renewal process.
How to verify Certbot Auto-renewal
At this point, you have learned to Secure Apache with Let’s Encrypt on Debian 10. But you should know that the Let’s Encrypt SSL certificate is only valid for 90 days.
The certbot package takes care of this for us by adding a renew script to /etc/cron.d. This will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.
To test the renewal process, run the following command:
sudo certbot renew --dry-run
In your output you will see:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/apache.orcacore.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for apache.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/apache.orcacore.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
That’s you are done. You have successfully Secure Apache with Let’s Encrypt on Debian 10.
Conclusion
At this point, you learn to install the Let’s Encrypt client certbot. Also, you learn to download SSL certificates for your domain and set up the certbot Auto-renewal process.
Hope you enjoy this article about How to Secure Apache with Let’s Encrypt on Debian 10. Also, you may like to read the following articles: