How To Secure Apache with Let’s Encrypt on Debian 9

how to secure apache with let's encrypt on debian 9

Let’s Encrypt makes it easy to obtain, install and manage free TLS/SSL certificates for your website. It provides a software client Certbot that enables you to easily generate, manage and even renew SSL certificates. Let’s see how to secure Apache with Let’s Encrypt on Debian 9.


How To Secure Apache with Let’s Encrypt on Debian 9

Here are the steps to secure Apache with Let’s Encrypt on Debian 9

Before we begin, please make sure you:

  • Setup a Debian Server
  • Have a registered domain name. We will use for our tutorial.
  • Make sure both as well as point to your server’s public IP address
  • Have installed Apache on your Debian System


1. Install Certbot

The first step is to install Certbot software client. Unfortunately, it is not readily available from Debian software package repositories.

To be able to download & install it via apt command, you need to add backports repository to sources.list so that apt can look for it at that location. Backports are basically Debian packages that are in testing phase.

To add backports repository, open or edit the sources.list file in /etc/apt/ directory:

$ sudo nano /etc/apt/sources.list


Scroll to the bottom of the file. Add the following line to it

$ deb stretch-backports main


Save & close the file by pressing Ctrl+X, Y and Enter. Update the package list

$ sudo apt update


Install Certbot

$ sudo apt install python-certbot-apache -t stretch-backports


This will install Certbot. Next we need to configure SSL for Apache.


2. Setup SSL in Apache

Instead of modifying Apache’s server config files, we will be using virtual host file. It allows you to easily manage multiple domains independently and use your default config as a fallback.

Here’s how you can quickly setup virtual host file for your domain. Open the virtual hosts file

$ sudo nano /etc/apache2/sites-available/


Look for your ServerName in it. It should be your domain name instead of If it is not pointing to your domain name, update the ServerName directive to point to your domain. Save and quit your file.

Test your Apache config

$ sudo apache2ctl configtest

If there are no errors, you’ll see the message

Syntax OK

In case of errors, open the virtual host file and edit in typos/missing characters. Reload Apache

$ sudo systemctl reload apache2


3. Update Firewall

If you have enabled ufw firewall, you can update it to allow HTTPS traffic. Otherwise, you can skip this step.

You can allow HTTPS traffic with the command:

$ sudo ufw allow 'WWW Full'
$ sudo ufw delete allow 'WWW'



4. Generate SSL Certificate

It’s really to generate and install SSL certificates using Certbot.

$ sudo certbot --apache -d -d

This will generate SSL certificate for both as well as . It will use the Apache plugin to install SSL certificates and automatically reload the configuration.

If you are using Certbot for the first time, you’ll need to agree to the terms & conditions, and also provide an email address that can be used for sending emails.

Certbot will give you a challenge to verify that you actually have access to the domain you want SSL certificate for. Once it is sucessful, you’ll be asked if you want to redirect HTTP to HTTPS or not.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):


Certbot will install SSL certificate as per your requirements and automatically reload Apache with new settings


Finally, it will give you the location of SSL certificates.

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-12-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:


You can test it by going to the https:// URL of your domain. You should see a green lock icon.


5. Test the Auto Renewal Process

By default, Let’s Encrypt certificate is valid for only 90 days. However, Certbot will automatically renew your certificates by adding a renew script to /etc/cron.d

It runs twice a days and renews any certificate within 30 days of expiry.

You can test it with the command

$ sudo certbot renew --dry-run

If it doesn’t show any errors, they you’re good to go. In case the renewal process fails, Let’s Encrypt will automatically send you emails to the email address you provided during installation.

Congratulations! Now you know how to secure Apache with Let’s Encrypt on Debian 9



About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!