Let's Encrypt is a Certificate Authority (CA) that provides a flexible way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
This simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.
At the moment, the entire process of obtaining and installing a certificate on a Server is fully automated on both Apache and Nginx.
In this context, we shall look into how to obtain a free SSL certificate and Secure Apache with Let's Encrypt on Debian.
How to Set up Let's Encrypt SSL Certificate on Apache ?
Before proceeding with this procedure, ensure that the following prerequisites are met:
- A Debian 9 running system with a non-root user with sudo privileges.
- Your domain name should pointing to your server IP address.
- Apache should installed and configured, as shown in this Guide.
- Have an apache virtual host for your domain, as shown in this Guide.
First, we will install certbot client which is useful in obtaining a free SSL certificate and set up your certificate to renew automatically.
1. Install Certbot
Start by Installing Certbot client package to your server to obtain a Let's Encrypt SSL certificate. The certbot package is available in the default Debian repositories.
So update the packages list and install the certbot package by following commands:
$ sudo apt update
$ sudo apt install certbot
Certbot is now ready to use but first we need to verify that Apache has been configured correctly in order to configure SSL for Apache.
2. Set Up the SSL Certificate
To automatically configure SSL, certbot should able to find correct virtual host in your Apache configuration file. It will look for a ServerName directive that matches with domain for which you request.
Make sure that Apache Virtual Host of your domain have set ServerName directive properly as given in How To Set Up Apache Virtual Hosts on Debian 9.
If ServerName doesn't set then do add or update appropriately to point to your domain name.
Now, Certbot can find the correct VirtualHost block and update appropriately.
Next, we will allow HTTPS in the Firewall.
3. Allow HTTPS To Firewall
To configure a SSL your firewall should allow HHTPS traffic. So if you have ufw firewall enabled then you need to adjust firewall rule to allow HTTPS traffic. By default, with Debian ufw comes with pre-defined packages with a profiles which are simple to change firewall rules. You can check current ufw rules by typing :
$ sudo ufw status
To set SSL certificates, it should allow "WWW Full" profile. If you can't see "WWW Full" profile in output then you can allow it by below command:
$ sudo ufw allow 'WWW Full'
Next, we are going to obtaining an SSL Certificate.
4. Obtain an SSL Certificate
There are multiple ways to obtain a Let's Encrypt certificate through plugins. Execute the following command to obtain a SSL certificate :
$ sudo certbot --apache -d example.com -d www.example.com
It will request SSL certificate for both example.com and www.example.com domains. If you are executing certbot for first time, it will prompt you to enter an email address, which can be use for sending email alerts related to SSL renewal and expiration. It will also ask for agree to the terms of service.
After doing so, certbot will communicate with the Let’s Encrypt server and then it will run a challenge to verify that you own the domain for which you’re requesting a certificate.
Let's Encrypt will perform Domain Validation (DV) automatically with multiple challenges. Once the Certificate Authority (CA) verified the authenticity of your domain, SSL certificate will be issued. You don’t need to create manually virtual host for SSL/HTTPS, it will be create automatically.
If validation got success, it will ask you how you'd like to configure your HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
You can choose option as per your choice and hit Enter to go ahead. Your virtual host will be update automatically and reload apache to get effect new settings.
At the end, It will show you successful message.
Finally, your domain is secure with Let's Encrypt SSL certificate. You can check by visiting your site with HTTPS protocol.
How to Auto Renew Let's Encrypt SSL certificate ?
Let's Encrypt SSL certificates are valid for 90 days so you need to renew it before it expire. To the prevent from SSL expiration, you can use certbot auto-renew facility. Certbot package creates a cronjob script at /etc/cron.d which runs twice a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :
$ sudo certbot renew --dry-run
If no errors then it's okay.
Now onwards Certbot will take care of your SSL expiration and renew your certificates and reload Apache to pick up the changes automatically.