Secure Apache Web Server with Lets Encrypt on Debian 12

By Posted on

Secure Apache Web Server with Lets Encrypt on Debian 12

Secure Apache Web Server with Lets Encrypt on Debian 12

In this guide, we want to teach you how to Secure Apache Web Server with Lets Encrypt on Debian 12. Let’s Encrypt is a free certificate authority that provides digital certificates for enabling HTTPS (SSL/TLS) on web servers. By using Let’s Encrypt, you can encrypt the traffic between your server and your users, enhancing security and building trust. You need to install certbot on your Debian 12 and get your SSL certificates from Let’s Encrypt. Follow the steps below to Secure Apache Web Server with Lets Encrypt on Debian 12.

Before you start to Secure Apache Web Server with Lets Encrypt on Debian 12, you need some prerequisites. Let’s see what we need.

Requirements for Apache Let’s Encrypt

You must have access to your server as a non-root user with sudo privileges. For this purpose, you can follow this guide on Initial Server Setup with Debian 12 Bookworm.

Also, you must have Apache installed on your server and create a virtual host file. To do this, you can visit this guide on How To Install Apache Web Server on Debian 12.

Now follow the steps below to Secure Apache Web Server with Lets Encrypt on Debian 12.

Step 1 – Install Certbot on Debian 12 Bookworm

As we said, we use Certbot to get our SSL certificate for Apache. The Certbot package is not available in the default Debian 12 repository. So we use the snap package manager to install it.

First, run the system update with the following command:

sudo apt update

Then, install Snap on Debian 12 by using the command below:

sudo apt install snapd -y

After this, you need to install some dependencies on your server that are needed for any snap you install, including the Certbot snap.

Now use the snap command to install the core snap:

sudo snap install core
**Output**
core 16-2.58.3 from Canonical– installed

Then, refresh the core snap with the following command:

sudo snap refresh core

At this point, you can install the certbot snap with the following command:

sudo snap install --classic certbot
**Output**
certbot 2.6.0 from Certbot Project (certbot-eff–) installed

This installation process will install the certbot executable in the /snap/bin/ directory.

You need to create a symbolic link to this file in the /usr/bin/ directory to make sure that you can run the certbot command on your system:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 2 – Check Apache Web Server Configuration on Debian 12

Certbot needs to find the correct virtual host in your Apache configuration to automatically configure SSL.

To Secure Apache Web Server with Lets Encrypt on Debian 12, you need to open the virtual host file for your domain with your favorite text editor to check the server name that matches the domain you request a certificate for:

sudo vi /etc/apache2/sites-available/<example.com>.conf

Find the ServerName line and make sure that it is pointing to your domain name.

...
ServerName your_domain;
...

Then save and close your file.

Now verify the syntax of your configuration edits with the following command:

sudo apache2ctl configtest

In your output, you should see:

...
Syntax OK

Note: If you get an error, open the virtual host file again and check for any typos or missing characters.

Then, reload the Apache for a new configuration with the following command:

sudo systemctl reload apache2

At this point, certbot can find the correct virtual host block and update it.

Step 3 – Configure Firewall For Apache

To Secure Apache Web Server with Lets Encrypt on Debian 12, you need to update the firewall to allow HTTPS traffic. We assumed that you are done with the requirements for the setting up ufw firewall.

See the current settings with the following command:

sudo ufw status

To allow HTTPS traffic run the command below and after that delete the “WWW” profile:

# sudo ufw allow 'WWW Full'
# Get sudo ufw delete allow 'WWW'

Now check the ufw status:

sudo ufw status
**Output**
Status: active

To                         Action      From
--                         ------      ----
WWW Full                   ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
WWW Full (v6)              ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Now you can get an SSL certificate with Let’s Encrypt on Debian 12 (Secure Apache Web Server with Lets Encrypt on Debian 12).

Step 4 – Generate SSL Certificates for Apache from Let’s Encrypt on Debian 12

The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary.

Certbot Apache Debian 12

You can now use this plugin to get your SSL certificate with Let’s Encrypt. To do this, run the command below:

sudo certbot --apache -d your_domain

You will be asked some questions. The first is to enter your email address. From here you can press y and enter to continue.

If that’s successful, the configuration will be updated automatically and Apache will reload to pick up the new settings.

In your output, you will see:

[Image of Certbot Apache Run]

You can reload your website by using https://your_domain_name and you should see the lock icon in your browser.

Also, you can test your server by using the SSL Labs Server Test. You will get an A grade from there.

Renew SSL Certificates

Let’s Encrypt certificates are only valid for 90 days. You can run a script to /etc/cron.d. This will run twice a day and will automatically renew any certificate that’s within thirty days of expiration.

Run the command below to test the renewal process:

sudo certbot renew --dry-run

In your output, you will see:

[Image of Certbot Renew Run]

Conclusion

At this point, you have learned to Secure Apache Web Server with Lets Encrypt on Debian 12. Also, you will learn to renew your SSL certificates.

Hope you enjoy it. Please subscribe to us on Facebook, Instagram, and Twitter.

Alternative Solutions for Securing Apache with Let’s Encrypt on Debian 12

While Certbot is a fantastic and widely used tool, there are alternative approaches to securing your Apache web server with Let’s Encrypt certificates on Debian 12. Here are two options:

1. Using ACME.sh

ACME.sh is a pure Unix shell script implementing the ACME protocol. It doesn’t require snapd or any other external dependencies beyond basic shell utilities, making it a lightweight and flexible alternative to Certbot.

Explanation:

ACME.sh obtains, renews, and installs Let’s Encrypt certificates. It supports various methods of domain verification, including HTTP and DNS challenges. It’s particularly useful in environments where snapd is undesirable or unavailable. It automatically renews certificates and offers comprehensive customization options.

Installation and Usage:

  1. Install ACME.sh:

    curl https://get.acme.sh | sh
source ~/.acme.sh/acme.sh.env

  2. Issue a certificate: (Using HTTP challenge, ensure your webserver is running)

    acme.sh --issue -d your_domain -w /var/www/your_domain
    • -d your_domain: Specifies the domain name.
    • -w /var/www/your_domain: Specifies the webroot directory for HTTP challenge verification. Adjust this to your actual document root.

  3. Install the certificate to Apache:

    ACME.sh needs to know how to configure your Apache server. Create a suitable configuration file (e.g., /etc/apache2/sites-available/your_domain-ssl.conf) and then install the certificate:

    acme.sh --installcert -d your_domain 
    --certpath /etc/apache2/ssl/your_domain.crt  
    --keypath /etc/apache2/ssl/your_domain.key 
    --fullchainpath /etc/apache2/ssl/your_domain.fullchain.crt 
    --reloadcmd "systemctl reload apache2"

    You’ll need to create the /etc/apache2/ssl directory beforehand if it doesn’t exist: sudo mkdir /etc/apache2/ssl and also adjust the paths in the command to match your chosen locations. Create symlinks to the installed certificates for Apache to use:

    sudo ln -s /etc/apache2/ssl/your_domain.fullchain.crt /etc/apache2/ssl/your_domain.crt

    Apache Configuration Example (/etc/apache2/sites-available/your_domain-ssl.conf):

    <VirtualHost *:443>
    ServerName your_domain
    DocumentRoot /var/www/your_domain

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/your_domain.crt
    SSLCertificateKeyFile /etc/apache2/ssl/your_domain.key

    <Directory /var/www/your_domain>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

    Remember to enable the site: sudo a2ensite your_domain-ssl.conf and restart Apache: sudo systemctl restart apache2

  4. Automatic Renewal: ACME.sh automatically renews certificates every 60 days via a cron job it sets up during installation.

2. Using a Web Hosting Control Panel (e.g., Virtualmin)

If you are managing multiple websites, a web hosting control panel can simplify the process of securing them with Let’s Encrypt. Virtualmin is a popular, open-source control panel that integrates seamlessly with Let’s Encrypt.

Explanation:

Virtualmin provides a graphical interface for managing web hosting accounts, including creating virtual hosts, managing databases, and configuring email. It also includes a Let’s Encrypt integration that allows you to obtain and renew SSL certificates with a few clicks. This is a user-friendly solution for users who prefer a GUI over command-line tools.

Installation and Usage (Conceptual):

  1. Install Virtualmin: Follow the instructions on the Virtualmin website for installing it on Debian 12. This usually involves running an installation script.

  2. Create a Virtual Host: Through the Virtualmin interface, create a new virtual host for your domain.

  3. Enable Let’s Encrypt: Navigate to the SSL Certificate section for your virtual host within Virtualmin. There should be an option to request a Let’s Encrypt certificate. Virtualmin will handle the domain verification and certificate installation automatically.

  4. Automatic Renewal: Virtualmin automatically manages certificate renewals.

Note: The specific steps for installing and using Virtualmin can vary slightly depending on your configuration. Refer to the Virtualmin documentation for detailed instructions. Virtualmin usually requires a clean install of Debian; installing it on a system already running other services can lead to conflicts.

These alternative methods offer different approaches to securing your Apache web server with Let’s Encrypt, providing flexibility based on your specific needs and preferences. ACME.sh is ideal for command-line enthusiasts and those seeking a lightweight solution, while Virtualmin simplifies the process for users managing multiple websites through a graphical interface.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *