How to Secure Apache with Let’s Encrypt on Debian 10

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

In this guide, we will use a separate Apache virtual host file instead of the default configuration file. We recommend creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.

To let this tutorial work better, please consider the below Prerequisites:

• A non-root user with sudo privileges
• To set up, follow our Initial server setup on Debian 10.

• A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
• Both of the following DNS records set up for your server. To set these up, you can follow these instructions for adding domains and then these instructions for creating DNS records.
  • An A record with your_domain pointing to your server’s public IP address.
  • An A record with www.your_domain pointing to your server’s public IP address.
• Apache installed by following How To Install Apache on Debian 10. Be sure that you have a virtual host file set up for your domain. This tutorial will use /etc/apache2/sites-available/your_domain.conf as an example.

How to Secure Apache with Let’s Encrypt on Debian 10

In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Debian 10 and set up your certificate to renew automatically. So join us to begin learning of How to Secure Apache with Let’s Encrypt on Debian 10.

1- How To Install  Certbot

Firstly, using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

As of this writing, Certbot is not available from the Debian software repositories by default. In order to download the software using apt, you will need to add the backports repository to your sources.list file where apt looks for package sources. Backports are packages from Debian’s testing and unstable distributions that are recompiled so they will run without new libraries on stable Debian distributions.

To add the backports repository, open (or create) the sources.list file in your /etc/apt/ directory:

sudo nano /etc/apt/sources.list

At the bottom of the file, add the following line:

. . .  deb http://mirrors.digitalocean.com/debian buster-backports main  deb-src http://mirrors.digitalocean.com/debian buster-backports main  deb http://ftp.debian.org/debian buster-backports main

This includes the main packages, which are Debian Free Software Guidelines (DFSG)-compliant, as well as the non-free and contrib components, which are either not DFSG-compliant themselves or include dependencies in this category.

Save and close the file by pressing CTRL+X, Y, then ENTER, then update your package lists:

sudo apt update

Next, install Certbot with the following command. Note that the -t option tells apt to search for the package by looking in the backports repository you just added:

sudo apt install python-certbot-apache -t buster-backports

Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify that Apache has been configured correctly.

2- How To Set Up The SSL Certificate

To configure SSL automatically, Certbot needs to be able to find the correct virtual host in your Apache configuration for it. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

If you followed the How To Install Apache on Debian 10, you should have a VirtualHost block for your domain at /etc/apache2/sites available/your_domain.conf with the ServerName directive already set appropriately.

Of course, you can check it by opening the virtual host file for your domain using nano or your favorite text editor:

sudo nano /etc/apache2/sites-available/your_domain.conf

After that try to find the existing ServerName line. It should look like this, with your own domain name instead of your_domain:

...  ServerName your_domain;  ...

First, check, and if it doesn’t already, update the ServerName directive to point to your domain name. Then save the file, quit your editor, and verify the syntax of your configuration edits:

sudo apache2ctl configtest

Syntax OK

Facing any errors, reopen the virtual host file, and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

sudo systemctl reload apache2

3- How To Allow HTTPS Through the Firewall

Due to prerequisite guides, if you have the ufw firewall enabled, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, when installed on Debian, ufw comes packaged with a few profiles that help to simplify the process of changing firewall rules for HTTP and HTTPS traffic.

And to see the current setting:

sudo ufw status

The below output shows that only HTTP traffic is allowed to the webserver:

Status: active    To                         Action      From  --                         ------      ----  OpenSSH                    ALLOW       Anywhere                    WWW                        ALLOW       Anywhere                    OpenSSH (v6)               ALLOW       Anywhere (v6)               WWW (v6)                   ALLOW       Anywhere (v6)

Next, to additionally let in HTTPS traffic, allow the “WWW Full” profile and delete the redundant “WWW” profile allowance:

sudo ufw allow 'WWW Full'  sudo ufw delete allow 'WWW'

Then, you will receive the status below.

sudo ufw status

Status: active    To                         Action      From  --                         ------      ----  OpenSSH                    ALLOW       Anywhere                    WWW Full                   ALLOW       Anywhere                    OpenSSH (v6)               ALLOW       Anywhere (v6)               WWW Full (v6)              ALLOW       Anywhere (v6)

4- How To Obtain an SSL Certificate

Since the Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary, you can use the below command to use this plugin. Also, Certbot provides a variety of ways to obtain SSL certificates through plugins.

sudo certbot --apache -d your_domain -d www.your_domain

This runs certbot with the –apache plugin, using -d to specify the names for which you’d like the certificate to be valid.

This is your first time running certbot? so you will be prompted to enter an email address and agree to the terms of service. Additionally, it will ask if you’re willing to share your email address with the Electronic Frontier Foundation, a nonprofit organization that advocates for digital rights and is also the maker of Certbot. Feel free to enter Y to share your email address or N to decline.

After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.  -------------------------------------------------------------------------------  1: No redirect - Make no further changes to the webserver configuration.  2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for  new sites, or if you're confident your site works on HTTPS. You can undo this  change by editing your web server's configuration.  -------------------------------------------------------------------------------  Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Now, select your choice then hit ENTER. The configuration will be updated automatically, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at:     /etc/letsencrypt/live/your_domain/fullchain.pem     Your key file has been saved at:     /etc/letsencrypt/live/your_domain/privkey.pem     Your cert will expire on 2019-10-20. To obtain a new or tweaked     version of this certificate in the future, simply run certbot again     with the "certonly" option. To non-interactively renew *all* of     your certificates, run "certbot renew"   - Your account credentials have been saved in your Certbot     configuration directory at /etc/letsencrypt. You should make a     secure backup of this folder now. This configuration directory will     also contain certificates and private keys obtained by Certbot so     making regular backups of this folder is ideal.   - If you like Certbot, please consider supporting our work by:       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate     Donating to EFF:                    https://eff.org/donate-le

While your certificates are downloaded, installed, and loaded, you can reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

5-  How To Verify Certbot Auto-Renewal

Let’s Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

Do a dry run with certbot, to test the renewal process.

sudo certbot renew --dry-run

In order to see no errors, you’re all set. Also, Certbot will renew your certificates and reload Apache to pick up the changes when it is necessary. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Conclusion

In this article, you learned how to install the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start. In case you are interested in reading more about this subject, have a look at other related articles.