Secure Apache with Let’s Encrypt on Debian 9

Let’s Encrypt is a Certificate Authority (CA). It provides free TLS/SSL certificates for enabling encrypted HTTPS on web servers. It also provides very easy and fully automated process to obtain, validation, installation and renewal SSL certificates. In this tutorial, you will learn how to obtain a free SSL certificate and Secure Apache with Let’s Encrypt on Debian 9.

Prerequisites#

• A Debian 9 running system with a non-root user with sudo privileges.
• Your domain name should pointing to your server IP address.
• Apache should installed and configured, as shown in this tutorial.
• Have an apache virtual host for your domain, as shown in this tutorial.

Here, we will use certbot client to obtain a free SSL certificate and set up your certificate to renew automatically.

Installing Certbot#

At first, you need to install Certbot client package to your server to obtain a Let’s Encrypt SSL certificate. The certbot package is available in the default Debian repositories.

So update the packages list and install the certbot package by following commands:

sudo apt update
sudo apt install certbot

Certbot is now ready to use but first we need to verify that Apache has been configured correctly in order to configure SSL for Apache.

Setting Up the SSL Certificate#

To automatically configure SSL, certbot should able to find correct virtual host in your Apache configuration file. It will look for a ServerName directive that matches with domain for which you request.

Make sure that Apache Virtual Host of your domain have set ServerName directive properly as given in How To Set Up Apache Virtual Hosts on Debian 9.

If ServerName doesn’t set then do add or update appropriately to point to your domain name.

Now, Certbot can find the correct VirtualHost block and update appropriately.

Next, we will allow HTTPS in the Firewall.

Allowing HTTPS To Firewall#

To configure a SSL your firewall should allow HHTPS traffic. So if you have ufw firewall enabled then you need to adjust firewall rule to allow HTTPS traffic. By default, with Debian ufw comes with pre-definded packages with a profiles which are simple to change firewall rules. You can check current ufw rules by typing :

sudo ufw status

To set SSL certificates, it should allow “WWW Full” profile. If you can’t see “WWW Full” profile in output then you can allow it by below command :

sudo ufw allow 'WWW Full'

Next, we are going to obtaining an SSL Certificate.

Obtaining an SSL Certificate#

There are multiple ways to obtain a Let’s Encrypt certificate through plugins. Execute the following command to obtain a SSL certificate :

sudo certbot --apache -d example.com -d www.example.com

It will request SSL certificate for both example.com and www.example.com domains. If you are executing certbot for first time, it will prompt you to enter an email address, which can be use for sending email alerts related to SSL renewal and expiration. It will also ask for agree to the terms of service.

After doing so, certbot will communicate with the Let’s Encrypt server and then it will run a challenge to verify that you own the domain for which you’re requesting a certificate.

Let’s Encrypt will perform Domain Validation (DV) automatically with multiple challenges. Once the Certificate Authority (CA) verified the authenticity of your domain, SSL certificate will be issued. You don’t need to create manually virtual host for SSL/HTTPS, it will be create automatically.

If validation got success, it will ask you how you’d like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

You can choose option as per your choice and hit Enter to go ahead. Your virtual host will be update automatically and reload apache to get effect new settings. At the end, It will show you successful message.

Finally, your domain is secure with Let’s Encrypt SSL certificate. You can check by visiting your site with HTTPS protocol.

Auto Renew Let’s Encrypt SSL certificate#

Let’s Encrypt SSL certificates are valid for 90 days so you need to renew it before it expire. To the prevent from SSL expiration, you can use certbot auto-renew facility. Certbot package creates a cronjob script at /etc/cron.d which runs twice a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :

sudo certbot renew --dry-run

If no errors then it’s okay. Now onwards Certbot will take care of your SSL expiration and renew your certificates and reload Apache to pick up the changes automatically.

Conclusion#

In this tutorial, you used certbot client of Let’s Encrypt to obtain SSL certificate for you domain. You also configured Apache to use these certificates. At Last you have set up automatic certificate renewal. If you have any questions about using Certbot or want to learn more about the Certbot script, their documentation is a good.