How to Secure Apache with Let’s Encrypt on Debian 10

How to Secure Apache with Let's Encrypt on Debian 10

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

In this guide, we will use a separate Apache virtual host file instead of the default configuration file. We recommend creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.


To let this tutorial work better, please consider the below Prerequisites:

  • A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
  • Both of the following DNS records set up for your server. To set these up, you can follow these instructions for adding domains and then these instructions for creating DNS records.
    • An A record with your_domain pointing to your server’s public IP address.
    • An A record with www.your_domain pointing to your server’s public IP address.
  • Apache installed by following How To Install Apache on Debian 10. Be sure that you have a virtual host file set up for your domain. This tutorial will use /etc/apache2/sites-available/your_domain.conf as an example.


Recommended Article: How to Install Anbox on Ubuntu 20.04 LTS

How to Secure Apache with Let’s Encrypt on Debian 10

In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Debian 10 and set up your certificate to renew automatically. So join us to begin learning of How to Secure Apache with Let’s Encrypt on Debian 10.


1- How To Install  Certbot

Firstly, using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

As of this writing, Certbot is not available from the Debian software repositories by default. In order to download the software using apt, you will need to add the backports repository to your sources.list file where apt looks for package sources. Backports are packages from Debian’s testing and unstable distributions that are recompiled so they will run without new libraries on stable Debian distributions.

To add the backports repository, open (or create) the sources.list file in your /etc/apt/ directory:

sudo nano /etc/apt/sources.list

At the bottom of the file, add the following line:

. . .  deb buster-backports main  deb-src buster-backports main  deb buster-backports main

This includes the main packages, which are Debian Free Software Guidelines (DFSG)-compliant, as well as the non-free and contrib components, which are either not DFSG-compliant themselves or include dependencies in this category.

Save and close the file by pressing CTRL+X, Y, then ENTER, then update your package lists:

sudo apt update

Next, install Certbot with the following command. Note that the -t option tells apt to search for the package by looking in the backports repository you just added:

sudo apt install python-certbot-apache -t buster-backports

Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify that Apache has been configured correctly.

2- How To Set Up The SSL Certificate

To configure SSL automatically, Certbot needs to be able to find the correct virtual host in your Apache configuration for it. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

If you followed the How To Install Apache on Debian 10, you should have a VirtualHost block for your domain at /etc/apache2/sites available/your_domain.conf with the ServerName directive already set appropriately.

Of course, you can check it by opening the virtual host file for your domain using nano or your favorite text editor:

sudo nano /etc/apache2/sites-available/your_domain.conf

After that try to find the existing ServerName line. It should look like this, with your own domain name instead of your_domain:

...  ServerName your_domain;  ...

First, check, and if it doesn’t already, update the ServerName directive to point to your domain name. Then save the file, quit your editor, and verify the syntax of your configuration edits:

sudo apache2ctl configtest
Syntax OK

Facing any errors, reopen the virtual host file, and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

sudo systemctl reload apache2


3- How To Allow HTTPS Through the Firewall

Due to prerequisite guides, if you have the ufw firewall enabled, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, when installed on Debian, ufw comes packaged with a few profiles that help to simplify the process of changing firewall rules for HTTP and HTTPS traffic.

And to see the current setting:

sudo ufw status

The below output shows that only HTTP traffic is allowed to the webserver:

Status: active    To                         Action      From  --                         ------      ----  OpenSSH                    ALLOW       Anywhere                    WWW                        ALLOW       Anywhere                    OpenSSH (v6)               ALLOW       Anywhere (v6)               WWW (v6)                   ALLOW       Anywhere (v6)

Next, to additionally let in HTTPS traffic, allow the “WWW Full” profile and delete the redundant “WWW” profile allowance:

sudo ufw allow 'WWW Full'  sudo ufw delete allow 'WWW'

Then, you will receive the status below.

sudo ufw status
Status: active    To                         Action      From  --                         ------      ----  OpenSSH                    ALLOW       Anywhere                    WWW Full                   ALLOW       Anywhere                    OpenSSH (v6)               ALLOW       Anywhere (v6)               WWW Full (v6)              ALLOW       Anywhere (v6)



4- How To Obtain an SSL Certificate

Since the Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary, you can use the below command to use this plugin. Also, Certbot provides a variety of ways to obtain SSL certificates through plugins.

sudo certbot --apache -d your_domain -d www.your_domain

This runs certbot with the –apache plugin, using -d to specify the names for which you’d like the certificate to be valid.

This is your first time running certbot? so you will be prompted to enter an email address and agree to the terms of service. Additionally, it will ask if you’re willing to share your email address with the Electronic Frontier Foundation, a nonprofit organization that advocates for digital rights and is also the maker of Certbot. Feel free to enter to share your email address or N to decline.

After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.  -------------------------------------------------------------------------------  1: No redirect - Make no further changes to the webserver configuration.  2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for  new sites, or if you're confident your site works on HTTPS. You can undo this  change by editing your web server's configuration.  -------------------------------------------------------------------------------  Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Now, select your choice then hit ENTER. The configuration will be updated automatically, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

IMPORTANT NOTES:   - Congratulations! Your certificate and chain have been saved at:     /etc/letsencrypt/live/your_domain/fullchain.pem     Your key file has been saved at:     /etc/letsencrypt/live/your_domain/privkey.pem     Your cert will expire on 2019-10-20. To obtain a new or tweaked     version of this certificate in the future, simply run certbot again     with the "certonly" option. To non-interactively renew *all* of     your certificates, run "certbot renew"   - Your account credentials have been saved in your Certbot     configuration directory at /etc/letsencrypt. You should make a     secure backup of this folder now. This configuration directory will     also contain certificates and private keys obtained by Certbot so     making regular backups of this folder is ideal.   - If you like Certbot, please consider supporting our work by:       Donating to ISRG / Let's Encrypt:     Donating to EFF:          


While your certificates are downloaded, installed, and loaded, you can reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Recommended Article: How to Secure Apache with Let’s Encrypt on Debian 10

5-  How To Verify Certbot Auto-Renewal

Let’s Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

Do a dry run with certbot, to test the renewal process.

sudo certbot renew --dry-run

In order to see no errors, you’re all set. Also, Certbot will renew your certificates and reload Apache to pick up the changes when it is necessary. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.




In this article, you learned how to install the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start. In case you are interested in reading more about this subject, have a look at other related articles.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

View More Posts
Marilyn Bisson
Content Writer
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

10 thoughts on “How to Secure Apache with Let’s Encrypt on Debian 10

    1. While all major certificates, like Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry have trusted this, it is a good idea to follow them and trust to Let’s encrypt.

    1. As you read in the article, yes it is a free, automated, and open certificate authority (CA) and run for the public’s benefit.

    1. After log in to the account control center, click security from the left sidebar and then click Manage Your SSL from the drop down. Next you should see which domains have Let’s Encrypt enabled and finally confirm your decision by clicking Disable Let’s Encrypt on the next page.

    1. To verify the renewal process, type the below command.
      Note: Certbot automatically renews the SSL certificate 30 days prior to its expiration.
      sudo certbot renew --dry-run

    1. By default an SSL certificate error occurs when a web browser can’t verify the SSL certificate installed on a site. Check the below points to solve it.

      • Diagnose the problem with an online tool.
      • Install an intermediate certificate on your web server.
      • Generate a new Certificate Signing Request.
      • Upgrade to a dedicated IP address.
      • Get a wildcard SSL certificate.
      • Change all URLS to HTTPS.
      • Renew your SSL certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way


7 days a week, 24 hours a day