Let’s Encrypt is a certificate authority that provides free SSL certificates for websites. It was launched in 2014 with the goal of all websites being secure and HTTP.
In addition to offering SSL certificates, it also helps implementation and automatic renewal of certificates. Let’s Encrypt is the world’s largest certificate authority, used by more than 250 million websites.
When writing this post, Let’s Encrypt supports the automatic installation of certificates on Apache, Nginx, Plex, and Haproxy.
Here, we will see how to install Let’s Encrypt SSL Certificate in Apache on Debian 11.
Prerequisites
Install Apache Webserver
I recommend you install the Apache webserver on your system before you proceed further.
READ: How to Install LAMP Stack on Debian 11
OR
Use the apt command to install the Apache webserver.
sudo apt update sudo apt install -y apache2
Enable Modules
Use the below command to enable SSL and rewrite modules.
sudo a2enmod ssl rewrite
Create Virtualhost
First, we will need to create an Apache virtual host to serve the HTTP version of your website.
sudo nano /etc/apache2/sites-available/www.itzgeek.net.conf
Use the below configuration for your website. Do remember to change the values based on your requirement. If you do not use the www subdomain, you can remove the ServerAlias.
<VirtualHost *:80> ServerName itzgeek.net ServerAlias www.itzgeek.net ServerAdmin [email protected] DocumentRoot /var/www/html/www.itzgeek.net ErrorLog ${APACHE_LOG_DIR}/www.itzgeek.net_error.log CustomLog ${APACHE_LOG_DIR}/www.itzgeek.net_access.log combined <Directory /var/www/html/www.itzgeek.net> Options FollowSymlinks AllowOverride All Require all granted </Directory> </VirtualHost>
Once you have created the virtual host configuration file, enable the site.
sudo a2ensite www.itzgeek.net
Next, create a root directory to hold your website’s files.
sudo mkdir -p /var/www/html/www.itzgeek.net/
Then, change the ownership and group of the directory.
sudo chown -R www-data:www-data /var/www/html/www.itzgeek.net/
Finally, place the test HTML file on the document root of the website.
echo "This is a test site @ www.itzgeek.net" | sudo tee /var/www/html/www.itzgeek.net/index.html
Restart the Apache service to re-read the configurations.
sudo systemctl reload apache2
Create / Update DNS Record
To generate a Let’s Encrypt SSL certificate, you will need to point your domain to your server IP. So, go to your domain registrar and create an A/CNAME record for your domain. For example, the below image shows the A/CNAME record for the domain www.itzgeek.net.
NOTE: After making changes in the DNS record, you will need to wait for a few minutes to hours depends on the TTL you set for the DNS record.
Install Let’s Encrypt SSL Certificate in Apache
Install Certbot
The Certbot ACME client handles the certificate issuance and installation with no downtime. It is available as a snap package for Debian operating system. So, first, install the Snapd package.
sudo apt update sudo apt install -y snapd
Then, update the snapd to the latest version.
sudo snap install core; sudo snap refresh core
Finally, install the Certbot client using the snap command and link it so that you can invoke the certbot command from anywhere regardless of the current working directory.
sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
Install Let’s Encrypt Certificate
Use the certbot command to create a Let’s Encrypt certificate and configure Apache to use the certificate.
sudo certbot --apache
You will need to follow the interactive prompt and install the certificate. Since I have created a virtual host for both itzgeek.net and www.itzgeek.net, I will also need to install SSL certificates for both domains. Then, I will redirect all the traffic to www.itzgeek.net via rewrite rules.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] << Enter Email ID - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y << Agree to Terms and Conditions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N << Subscriber to Newsletter Account registered. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: itzgeek.net 2: www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2 << Select the site to Install Let's Encrypt SSL Certificate Requesting a certificate for itzgeek.net and www.itzgeek.net Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/itzgeek.net/fullchain.pem Key is saved at: /etc/letsencrypt/live/itzgeek.net/privkey.pem This certificate expires on 2022-01-21. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for itzgeek.net to /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf Successfully deployed certificate for www.itzgeek.net to /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://itzgeek.net and https://www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Once you activate HTTPS for your domain, the Certbot client will place necessary rewrite rules to redirect traffic from HTTP to the HTTPS site.
In my case, it has placed two rules for below redirections.
- http://itzgeek.net >> https://itzgeek.net
- http://www.itzgeek.net >> https://www.itzgeek.net
As you can see, the first redirection is not reached to the www HTTPS version of the domain. So, you may need to follow the below section to set it up.
Redirect non-www HTTP requests to www HTTPS with Apache
You may want to configure the Apache webserver to redirect the traffic from the non-www HTTP site to the WWW HTTPS site, I.e., http://itzgeek.net >> https://www.itzgeek.net.
Edit the Let’s Encrypt SSL virtual host file (not your original virtual host file).
sudo nano /etc/apache2/sites-available/www.itzgeek.net-le-ssl.conf
Add the below rules before the </VirtualHost>. Change the domain name as per your requirement.
# Redirect NON-WWW HTTP to WWW HTTPS
RewriteEngine on
RewriteCond %{SERVER_NAME} =itzgeek.net
RewriteRule ^ https://www.itzgeek.net%{REQUEST_URI} [END,NE,R=permanent]1,L]
Then, restart the Apache service.
sudo systemctl restart apache2
Verify Let’s Encrypt Certificate
You can verify the Let’s Encrypt certificate by visiting your website.
OR
You should get the HTTPS version of your site now.
Test SSL Certificate
Test your Let’s Encrypt SSL certificate for any issues and its security ratings by going to the below URL.
Renew Let’s Encrypt Certificate
As you know, Let’s Encrypt certificates have a validity of 90 days, and you have to ensure they are renewed on time. The renewal process is now automated and thanks to the systemd service provided by the Certbot client. So, you do not have to renew them manually.
However, it is recommended to test certificate renewals by simulating the automatic renewal of SSL certificates by running the below command.
sudo certbot renew --dry-run
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/itzgeek.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for itzgeek.net and www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/itzgeek.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If the output confirms that the test renewal is successful, the automatic renewal will happen as expected.
Conclusion
That’s All. I hope you learned how to Install Let’s Encrypt SSL Certificate in Apache on Debian 11.
