How to Secure Apache with SSL Using Let's Encrypt on Debian 12 Bookworm

A comprehensive guide to securing your Apache web server with SSL using Let’s Encrypt on Debian 12 Bookworm.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

In today’s web landscape, ensuring the privacy and integrity of data transmitted between your server and clients is not just a good practice—it’s a necessity. One of the most effective ways to achieve this is by using HTTPS, the secure version of HTTP, which encrypts communications using SSL/TLS. Let’s Encrypt, a free and automated Certificate Authority (CA), has made it easier than ever to implement HTTPS on web servers, including Apache.

In this guide, we’ll walk you through the process of securing your Apache web server with SSL using Let’s Encrypt on a Debian 12 Bookworm system. We’ll cover everything from installing the required packages to configuring automatic certificate renewal.

1. Prerequisites

Before we begin, ensure the following:

  • You have a Debian 12 Bookworm system with root or sudo privileges.
  • You have a fully qualified domain name (FQDN) (e.g., example.com) that points to your server’s public IP.
  • Apache is installed and running.
  • Port 80 (HTTP) and 443 (HTTPS) are open in your firewall settings.

2. Step 1: Install Apache Web Server

If Apache is not yet installed on your Debian 12 system, you can install it using the APT package manager.

sudo apt update
sudo apt install apache2 -y

Enable and start the Apache service:

sudo systemctl enable apache2
sudo systemctl start apache2

Check the status to confirm it’s running:

sudo systemctl status apache2

Now, verify that Apache is serving content by visiting your server’s IP address or domain in a web browser.

3. Step 2: Install Certbot and the Apache Plugin

Certbot is the recommended tool by Let’s Encrypt to automate SSL certificate issuance and renewal. We’ll install Certbot along with its Apache plugin.

sudo apt install certbot python3-certbot-apache -y

This will install:

  • Certbot (the client)
  • Apache plugin for Certbot to configure virtual hosts automatically

Once installed, you can check the version:

certbot --version

4. Step 3: Configure Your Domain in Apache

Make sure Apache is correctly set up to serve your domain. Create or edit your site’s configuration file. For example, for a site example.com:

sudo nano /etc/apache2/sites-available/example.com.conf

Here’s a simple configuration to begin with:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com

    ErrorLog ${APACHE_LOG_DIR}/example.com_error.log
    CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined
</VirtualHost>

Create the document root directory and a simple index.html file:

sudo mkdir -p /var/www/example.com
echo "<h1>Hello from example.com</h1>" | sudo tee /var/www/example.com/index.html

Enable the site:

sudo a2ensite example.com.conf
sudo systemctl reload apache2

Make sure the default site does not interfere:

sudo a2dissite 000-default.conf
sudo systemctl reload apache2

At this point, your site should be accessible via http://example.com.

5. Step 4: Obtain an SSL Certificate Using Certbot

Now that Apache is serving your domain, you’re ready to get an SSL certificate.

Run the following Certbot command:

sudo certbot --apache -d example.com -d www.example.com

You’ll be prompted to:

  • Enter your email address (for renewal and expiry notices)
  • Agree to the terms of service
  • Choose whether or not to share your email with the Electronic Frontier Foundation (EFF)
  • Choose between redirecting HTTP to HTTPS or not

We recommend choosing the redirect option so all traffic is securely encrypted.

Certbot will then:

  • Communicate with the Let’s Encrypt CA
  • Prove domain ownership
  • Obtain the SSL certificate
  • Configure Apache to use the certificate

Once completed, Certbot will display a success message.

6. Step 5: Verify SSL Installation

You can verify that SSL is working by visiting:

https://example.com

If everything was successful, you should:

  • See a padlock in the browser address bar
  • Be redirected to HTTPS if you opted in for redirection
  • Get a valid certificate issued by Let’s Encrypt

You can also use the SSL Labs SSL Test to confirm your site’s SSL configuration: https://www.ssllabs.com/ssltest/

7. Step 6: Set Up Automatic Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. Fortunately, Certbot installs a cron job or systemd timer to renew certificates automatically.

You can test the renewal process with:

sudo certbot renew --dry-run

If no errors are shown, the auto-renewal is set correctly.

Certbot will attempt to renew certificates and reload Apache when necessary. You can check the systemd timer with:

sudo systemctl list-timers | grep certbot

If needed, you can manually renew at any time with:

sudo certbot renew

Optional: Redirect All HTTP Traffic to HTTPS Manually

If for some reason you didn’t let Certbot handle redirection, you can manually redirect HTTP traffic to HTTPS. Modify your Apache configuration file (/etc/apache2/sites-available/example.com.conf) to include:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Then reload Apache:

sudo systemctl reload apache2

Troubleshooting Tips

  • Ports 80 and 443 blocked: Make sure your firewall (e.g., ufw, iptables, or cloud provider) allows inbound traffic on ports 80 and 443.
  • Incorrect DNS records: Ensure that your domain’s A/AAAA records point to the correct IP of your server.
  • Multiple Apache configs: Avoid overlapping ServerName directives in different site files.
  • DNS propagation delay: If you just changed your DNS records, it may take time before Let’s Encrypt can validate your domain.

Conclusion

Securing your website with SSL is an essential step to protecting user data and improving trust and SEO rankings. Using Let’s Encrypt and Certbot on Debian 12 Bookworm, the process is not only free but also highly automated and manageable.

With Apache now configured to use SSL/TLS, and automatic renewal in place, your website will serve content securely and comply with modern web standards. Keep an eye on renewal emails and always monitor your server to ensure everything runs smoothly.

If you’re managing multiple domains or more complex setups, Certbot provides advanced options like wildcard certificates (with DNS verification) and non-interactive modes ideal for scripting.

Further Reading:


< How to Configure Apache Virtual HostsHow to Install Nginx Web Server on Debian 12 Bookworm System >