Let's Encrypt is a Certificate Authority (CA) that provides a flexible way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers.
This simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.
At the moment, the entire process of obtaining and installing a certificate on a Server is fully automated on both Apache and Nginx.
In this context, we shall look into how to obtain a free SSL certificate and Secure Apache with Let's Encrypt on Debian.
Before proceeding with this procedure, ensure that the following prerequisites are met:
First, we will install certbot client which is useful in obtaining a free SSL certificate and set up your certificate to renew automatically.
1. Install Certbot
Start by Installing Certbot client package to your server to obtain a Let's Encrypt SSL certificate. The certbot package is available in the default Debian repositories.
So update the packages list and install the certbot package by following commands:
$ sudo apt update
$ sudo apt install certbot
Certbot is now ready to use but first we need to verify that Apache has been configured correctly in order to configure SSL for Apache.
2. Set Up the SSL Certificate
To automatically configure SSL, certbot should able to find correct virtual host in your Apache configuration file. It will look for a ServerName directive that matches with domain for which you request.
Make sure that Apache Virtual Host of your domain have set ServerName directive properly as given in How To Set Up Apache Virtual Hosts on Debian 9.
If ServerName doesn't set then do add or update appropriately to point to your domain name.
Now, Certbot can find the correct VirtualHost block and update appropriately.
Next, we will allow HTTPS in the Firewall.
3. Allow HTTPS To Firewall
To configure a SSL your firewall should allow HHTPS traffic. So if you have ufw firewall enabled then you need to adjust firewall rule to allow HTTPS traffic. By default, with Debian ufw comes with pre-defined packages with a profiles which are simple to change firewall rules. You can check current ufw rules by typing :
$ sudo ufw status
To set SSL certificates, it should allow "WWW Full" profile. If you can't see "WWW Full" profile in output then you can allow it by below command:
$ sudo ufw allow 'WWW Full'
Next, we are going to obtaining an SSL Certificate.
4. Obtain an SSL Certificate
There are multiple ways to obtain a Let's Encrypt certificate through plugins. Execute the following command to obtain a SSL certificate :
$ sudo certbot --apache -d example.com -d www.example.com
It will request SSL certificate for both example.com and www.example.com domains. If you are executing certbot for first time, it will prompt you to enter an email address, which can be use for sending email alerts related to SSL renewal and expiration. It will also ask for agree to the terms of service.
After doing so, certbot will communicate with the Let’s Encrypt server and then it will run a challenge to verify that you own the domain for which you’re requesting a certificate.
Let's Encrypt will perform Domain Validation (DV) automatically with multiple challenges. Once the Certificate Authority (CA) verified the authenticity of your domain, SSL certificate will be issued. You don’t need to create manually virtual host for SSL/HTTPS, it will be create automatically.
If validation got success, it will ask you how you'd like to configure your HTTPS settings:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
You can choose option as per your choice and hit Enter to go ahead. Your virtual host will be update automatically and reload apache to get effect new settings.
At the end, It will show you successful message.
Finally, your domain is secure with Let's Encrypt SSL certificate. You can check by visiting your site with HTTPS protocol.
Let's Encrypt SSL certificates are valid for 90 days so you need to renew it before it expire. To the prevent from SSL expiration, you can use certbot auto-renew facility. Certbot package creates a cronjob script at /etc/cron.d which runs twice a day and will automatically renew any certificate 30 days before its expiration. You can check renewal process by type :
$ sudo certbot renew --dry-run
If no errors then it's okay.
Now onwards Certbot will take care of your SSL expiration and renew your certificates and reload Apache to pick up the changes automatically.
This article covers how to use certbot client of Let’s Encrypt to obtain SSL certificate for you domain.
To set these up DNS records for your server, you can follow these instructions for adding domains and then these instructions for creating DNS records:
To install Certbot as a snap on Debian,
You must first have snapd installed on your server.
snapd is a daemon required to install, use, and manage snaps.
Installing the snapd package will also install the snap command on your server.
1. To install snapd, update your local package index if you've not done so recently:
$ sudo apt update
2. Then install the snapd package:
$ sudo apt install snapd
After running this command, you'll be prompted to confirm that you want to install snapd and its dependencies.
Do so by pressing Y and then ENTER.
3. Next, use the snap command to install the core snap. This will install some dependencies on your server that are needed for any snap you install, including the Certbot snap:
$ sudo snap install core
4. Then refresh the core snap. Doing so will ensure that you have the latest versions of snapd and its dependencies installed:
$ sudo snap refresh core
Following that, you can install the certbot snap with the following command.
5. Because Certbot must be allowed to edit certain configuration files in order to correctly set up certificates, this command includes the --classic option. This confinement level allows any snaps installed under it the same access to system resources as traditional packages:
$ sudo snap install --classic certbot
6. Create a symbolic link to this file in the /usr/bin/ directory to ensure that you can run the certbot command anywhere on your system:
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot