Let’s Encrypt makes it easy to obtain, install and manage free TLS/SSL certificates for your website. It provides a software client Certbot that enables you to easily generate, manage and even renew SSL certificates. Let’s see how to secure Apache with Let’s Encrypt on Debian 9.
How To Secure Apache with Let’s Encrypt on Debian 9
Here are the steps to secure Apache with Let’s Encrypt on Debian 9
Before we begin, please make sure you:
- Setup a Debian Server
- Have a registered domain name. We will use example.com for our tutorial.
- Make sure both example.com as well as www.example.com point to your server’s public IP address
- Have installed Apache on your Debian System
1. Install Certbot
The first step is to install Certbot software client. Unfortunately, it is not readily available from Debian software package repositories.
To be able to download & install it via apt command, you need to add backports repository to sources.list so that apt can look for it at that location. Backports are basically Debian packages that are in testing phase.
To add backports repository, open or edit the sources.list file in /etc/apt/ directory:
$ sudo nano /etc/apt/sources.list
Scroll to the bottom of the file. Add the following line to it
$ deb http://ftp.debian.org/debian stretch-backports main
Save & close the file by pressing Ctrl+X, Y and Enter. Update the package list
$ sudo apt update
$ sudo apt install python-certbot-apache -t stretch-backports
This will install Certbot. Next we need to configure SSL for Apache.
2. Setup SSL in Apache
Instead of modifying Apache’s server config files, we will be using virtual host file. It allows you to easily manage multiple domains independently and use your default config as a fallback.
Here’s how you can quickly setup virtual host file for your domain. Open the virtual hosts file
$ sudo nano /etc/apache2/sites-available/example.com.conf
Look for your ServerName in it. It should be your domain name instead of example.com. If it is not pointing to your domain name, update the ServerName directive to point to your domain. Save and quit your file.
Test your Apache config
$ sudo apache2ctl configtest
If there are no errors, you’ll see the message
Output Syntax OK
In case of errors, open the virtual host file and edit in typos/missing characters. Reload Apache
$ sudo systemctl reload apache2
3. Update Firewall
If you have enabled ufw firewall, you can update it to allow HTTPS traffic. Otherwise, you can skip this step.
You can allow HTTPS traffic with the command:
$ sudo ufw allow 'WWW Full' $ sudo ufw delete allow 'WWW'
4. Generate SSL Certificate
It’s really to generate and install SSL certificates using Certbot.
$ sudo certbot --apache -d example.com -d www.example.com
This will generate SSL certificate for both example.com as well as www.example.com . It will use the Apache plugin to install SSL certificates and automatically reload the configuration.
If you are using Certbot for the first time, you’ll need to agree to the terms & conditions, and also provide an email address that can be used for sending emails.
Certbot will give you a challenge to verify that you actually have access to the domain you want SSL certificate for. Once it is sucessful, you’ll be asked if you want to redirect HTTP to HTTPS or not.
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Certbot will install SSL certificate as per your requirements and automatically reload Apache with new settings
Finally, it will give you the location of SSL certificates.
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-12-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You can test it by going to the https:// URL of your domain. You should see a green lock icon.
5. Test the Auto Renewal Process
By default, Let’s Encrypt certificate is valid for only 90 days. However, Certbot will automatically renew your certificates by adding a renew script to /etc/cron.d
It runs twice a days and renews any certificate within 30 days of expiry.
You can test it with the command
$ sudo certbot renew --dry-run
If it doesn’t show any errors, they you’re good to go. In case the renewal process fails, Let’s Encrypt will automatically send you emails to the email address you provided during installation.
Congratulations! Now you know how to secure Apache with Let’s Encrypt on Debian 9