How To Secure Apache with Let’s Encrypt on Debian 10

In this article, we want to teach you How To Secure Apache with Let’s Encrypt on Debian 10.

Let’s Encrypt is a Certificate Authority (CA) that lets you get and install free TLS/SSL certificates by enabling encrypted HTTPS on web servers.

How To Secure Apache with Let’s Encrypt on Debian 10

Before you start to get your TLS/SSL certificates you need some requirements first.

Requirements

You need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this you can check the Initial server setup article for Debian 10.

A fully registered Domain name.

Also, you need to install Apache and set up its virtual hosts. In this article about How to install LAMP Stack on Debian 10, we completely explain it you can check it and then continue this guide.

How To Install Certbot on Debian 10

Here you need to install the certbot software on your Debian 10 server to get an SSL certificate from Let’s Encrypt.

Note: Certbot is not available in the Debian default repositories. because of it, we use snappy which is a package manager developed for Linux systems that install packages in a format referred to as snaps.

At this point, to install certbot as a snap on Debian 10, you need to install snapd on your server first.

Update the APT packages with the following command:

sudo apt update

Then, install snapd with the following command:

sudo apt install snapd

Here you need to install some dependencies on your server that are needed for any snap you install with the following command:

sudo snap install core

Refresh the core with the following command:

sudo snap refresh core

Now you can install certbot snap on Debian 10 with the following command:

sudo snap install --classic certbot

This will install the certbot executable in the /snap/bin/ directory.

Here you need to create a symbolic link to this file in the /usr/bin/ directory to be sure that you can run the certbot command anywhere on your system.

Run the following command:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certbot is now ready to use to get your SSL certificate for Apache.

But before this, you need to verify that Apache has been configured correctly.

Configure Apache and Adjust the Firewall on Debian 10

Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure the SSL certificate.

At this point, you can check the virtual host file for your domain with the following command:

Here we use vi text editor you can choose your favorite text editor.

Also, remember to replace the domain name with your own.

sudo vi /etc/apache2/sites-available/apache.orcacore.net.conf

Find the ServerName line. It should look like this with your own domain name:

...
ServerName apache.orcacore.net
...

If it doesn’t fill with your domain name, update it and put your domain name instead of it. When you are finished save and close the file.

Now check for no syntax errors with the following command:

sudo apache2ctl configtest
Output
. . .
Syntax OK

If you get an error, open the file again and check for any typos or missing characters.

Now you need to reload Apache for new configuration changes with the following command:

sudo systemctl reload apache2

Now you need to update the firewall to allow HTTPS traffic.

We assumed that you enable the UFW firewall from the requirements.

See the current settings with the following command:

sudo ufw status

If you followed the installation of Apache from the requirements your output should similar to this:

Output
Status: active
To Action From
-- ------ ----
WWW Full ALLOW Anywhere
...
WWW Full (v6) ALLOW Anywhere (v6)
...

Note: If you see just the WWW profile, you should enable the “WWW full” profile with the following command;

sudo ufw allow 'WWW Full'

Then, delete the WWW profile allowance with the following command:

sudo ufw delete allow 'WWW'

Now you can run certbot and fetch your certificates.

How to Get an SSL certificate

You can use certbot to get an SSL certificate through plugins.

To use the Apache plugin run the following command:

sudo certbot --apache -d apache.orcacore.net -d www.apache.orcacore.net

For a single domain, run the following command instead:

sudo certbot --apache -d apache.orcacore.net

You will be asked to enter your email address. then agree with the terms of service.

Also, you will be asked to share your email address with the Electronic Frontier Foundation. It depends on whether you press N or Y to continue.

Your output should be similar to this:

Output
Requesting a certificate for apache.orcacore.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache.orcacore.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache.orcacore.net/privkey.pem
This certificate expires on 2021-12-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for apache.orcacore.net to /etc/apache2/sites-available/apache.orcacore.net-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://apache.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

At this point, your certificates are downloaded, installed, and loaded.

Now you can reload your website:

https://apache.orcacore.net

You will see the lock icon in your web browser.

Also, you can test your server with SSL Labs Server Test, it will give you an A grade.

SSL certificate on Debian 10 - secure Apache

Let’s finish by testing the renewal process.

How to verify Certbot Auto-renewal

Let’s Encrypt SSL certificate is only valid for 90 days.

The certbot package takes care of this for us by adding a renew script to /etc/cron.d. this will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To test the renewal process, run the following command:

sudo certbot renew --dry-run

In your output you will see:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/apache.orcacore.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for apache.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/apache.orcacore.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Conclusion

At this point, you learn to install the Let’s Encrypt client certbot. Also, you learn to download SSL certificates for your domain and set up the certbot Auto-renewal process.

Hope you enjoy this article about How to Secure Apache with Let’s Encrypt on Debian 10.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular