How to setup LetsEncrypt SSL Certificate for Apache on Debian 11

Install Certbot

Certbot is a fully-featured, extensible client for the Let's Encrypt CA or any other CA that speaks the ACME protocol that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems.

First update system repositories.

apt update

Install the Certbot package for letsEncrypt

apt install -y certbot python3-certbot-apache

Generate SSL Certificate

Let us now generate SSL Certificate for a domain "demo-vm.kxe.io".

Since we are using Apache web server, we will have to mention this, so appropriate vHost configurations are updated.

certbot --apache -d your_domain

This will immediately request for your email address

Example

root@server:~# certbot --apache -d demo-vm.kxe.io
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):

You will be prompted to agree with the Terms of Service. Type Y and hit Enter.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Select the appropriate option below,

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Certbot will contact Let’s encrypt servers and verify of the domain you are requesting for is a registered and valid domain.

Account registered.
Requesting a certificate for demo-vm.kxe.io
Performing the following challenges:
http-01 challenge for demo-vm.kxe.io
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module

You will get the notification below that you have successfully enabled the HTTPS protocol on your web server and the expiry date of your SSL certificate.

Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://demo-vm.kxe.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/demo-vm.kxe.io/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/demo-vm.kxe.io/privkey.pem
   Your certificate will expire on 2021-11-18. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

In case you have multiple sub-domains that requires SSL certificates, you can do so with below command:

certbot --apache -d demo-vm.kxe.io -d www.demo-vm.kxe.io -d site.demo-vm.kxe.io

Allow HTTPS protocol on Firewall

Since we have firewall running on the system, we will allow port 443 for HTTPS so we can have traffic flow through it.

ufw allow 443/tcp

Output:

root@server:~# ufw allow 443/tcp
Rule added
Rule added (v6)

Verify HTTPS on Website.

https://Your_Domain_Name

As you can notice in the below screenshot, there is a lock icon beside the URL.

This means that the connection between you and the server is now secure and encrypted.

Check for Auto-renewal

Certbot automatically renews the SSL certificate 30 days prior to its expiration. To verify the renewal process.

certbot renew --dry-run

Output:

root@server:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demo-vm.kxe.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for demo-vm.kxe.io
Performing the following challenges:
http-01 challenge for demo-vm.kxe.io

In this guide,

CrownCloud

Get a SSD powered KVM VPS at $4.5/month!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Use Code:

WELCOME

for 10% off!

Get Started Now!

CrownCloud - Get a SSD powered KVM VPS at $4.5/month!

Use the code `WELCOME` for 10% off!