How to Setup Free SSL Certificate for Apache on Debian 10

In the growing face of cyberattacks and breaches, securing your website is a top priority in protecting yourself and your site visitors from hackers. In this tutorial, we explore how you can set up a Free SSL Certificate using Let’s Encrypt SSL for Apache on Debian 10.

Let’s Encrypt is a free SSL certificate written by Let’s Encrypt authority which is valid for only 90 days but can be renewed at any given time.

What is an SSL Certificate?

Before we proceed further, What is an SSL certificate? An SSL certificate is a digital certificate that encrypts communication between a browser and a web server. This encrypts guarantees that any information sent to the web-server is private and confidential. SSL certificates are commonly used on e-commerce websites, banking websites and money sending / remittance platforms such as PayPal, Payoneer, and Skrill.

How Do I Know that My Site is Protected?

Websites which are SSL secured have a padlock symbol in the URL bar followed by the acronym https (HyperText Transfer Protocol Secure) as shown in the following screenshot.

Check SSL Certificate on Website

Check SSL Certificate on Website

If a site is not protected with an SSL certificate, Google will display a “Not Secure” warning before the website address in the URL.

Prerequisites

Before we begin, ensure the following requirements have been satisfied:

  1. A running instance of Debian 10 Minimal Server.
  2. A running instance of Apache Web Server with Domain Setup on Debian 10.
  3. A registered Fully Qualified Domain Name (FQDN) with the A record pointing to the IP address of the Debian 10 Linux system on your Domain Provider.

For this tutorial, we have tecmint.com pointed to the IP address 192.168.0.104.

Step 1: Install Certbot in Debian 10

To start off, we need to install Certbot on our Debian 10 instance. Certbot is a client software by EFF (Electronic Frontier Foundation) that fetches Let’s Encrypt SSL & sets it up on a web server.

To achieve this, first update system repositories.

$ sudo apt update

Next, add the repository on your Debian system using the command below.

$ sudo apt install python-certbot-apache -t buster-backports

Step 2: Obtain an SSL Certificate for Domain

After successfully installing certbot client, let’s proceed and install Let’s Encrypt certificate using the command below.

$ sudo certbot --apache -d your_domain -d www.your_domain

This will immediately request for your email address as shown below.

Obtain Let's Encrypt SSL Certificate for Domain

Obtain Let’s Encrypt SSL Certificate for Domain

Next, you will be prompted to agree with the Terms of Service. Type A and hit Enter.

Accept Let's Encrypt Terms of Service

Accept Let’s Encrypt Terms of Service

In addition, you will be asked if you would be willing to share your email address with the EFF foundation and receive periodic updates about their work. Type Y and hit Enter.

Share Email Address with EFF

Share Email Address with EFF

Afterwards, certbot will contact Let’s encrypt servers and verify of the domain you are requesting for is a registered and valid domain.

Installing Let's Encrypt SSL Certificate on Domain

Installing Let’s Encrypt SSL Certificate on Domain

You will then be asked whether you would like to redirect all requests to HTTPS. Because we are seeking to encrypt HTTP access, type 2 for redirection and hit ENTER.

Redirect HTTP to HTTPS on Domain

Redirect HTTP to HTTPS on Domain

And finally, if all went well, you will get the notification below that you have successfully enabled the HTTPS protocol on your web server and the expiry date of your SSL certificate.

Enabled Let's Encrypt SSL Certificate on Domain

Enabled Let’s Encrypt SSL Certificate on Domain

Step 3: Allow HTTPS Protocol On Firewall

If UFW firewall is enabled, as is always recommended for security reasons, you need to allow HTTPS traffic through it, otherwise, we will not be able to access our site on a web browser.

Since HTTPS runs on port 443, open the port by running.

$ sudo ufw allow 443/tcp

Next, reload the firewall to effect the changes.

$ sudo ufw reload

To verify if the changes have taken effect, run the command below to check the firewall status.

$ sudo ufw status
Verify HTTPS Port on UFW Firewall

Verify HTTPS Port on UFW Firewall

As you can see from the output above, port 443 has been opened.

Step 4: Verify HTTPS on Website

With all the configurations done and dusted, it’s time to check and see if our web server uses the https protocol. Head out to your web browser and type your website domain name in the URL bar followed by the acronym https.

Check SSL Certificate on Website

Check SSL Certificate on Website

If you are a little curious and want to check more information about the SSL certificate, click on the padlock symbol as shown.

Verify HTTPS on Website

Verify HTTPS on Website

On the pull-down menu, the ‘Certificate‘ option is indicated ‘Valid‘.

To explore more information, click on that option. A pop-up appears with all the details including the Certificate Issuer (Let’s Encrypt Authority), date issued and expiry date.

Check SSL Certificate Issuer

Check SSL Certificate Issuer

You can also test your site’s SSL certificate on https://www.ssllabs.com/ssltest/.

Test SSL Certificate of Website

Test SSL Certificate of Website

Step 5: Checking Auto Renew Certbot SSL Certificate

Certbot automatically renews the SSL certificate 30 days prior to its expiration. To verify the renewal process, run the command below.

$ sudo certbot renew --dry-run

The output below confirms that all is well and that the SSL certificate will auto-renew before the 90-day expiry period.

Check Certbot SSL Certificate Auto Renew

Check Certbot SSL Certificate Auto Renew

Conclusion

We have finally come to the end of this tutorial. In this tutorial, you learned how to secure Apache web server with Let’s Encrypt free SSL. If you have any comments or queries, do get in touch with us.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

James Kiarie

This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

1 Response

  1. Mark says:

    The value ‘buster-backports‘ is invalid for APT::Default-Release as such a release is not available in the sources..

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.