November 23, 2020
Feature image for the article about how to install a free Let's Encrypt SSL certificate on Debian 10

Install a free Let’s Encrypt SSL certificate on Debian 10

This article teaches you how you can generate a free Let’s Encrypt SSL certificate and install it on your Debian based web server, in a way that it automatically renews. With the launch of Let’s Encrypt in 2016, every web server administrator can now easily generate, install and renew an SSL certificate on their web server for free. Having an SSL certificate installed on your web server, secures all communication between a visitor of your website and your web server.

Background

The topic of online security and privacy protection becomes more and more important. With this in mind, an SSL certificate helps you gain the trust of your website visitor. This entices them for repeat visits. SSL stands for Secure Socket Layer. Having an SSL certificate installed on your web server, secures all communication between a visitor of your website and your web server. Your web site visitor notices that your URL starts with https:// instead of http://. Furthermore your website visitor sees a security icon in their web browser’s address bar:

Web browser screenshot showing just the URL address bar of a website that is secured with an SSL certificate.

In the past you had to purchase a digital SSL certificate from a recognized certificate authority. Once purchased, you had to figure out how to install the SSL certificate manually on your web server. An SSL certificate comes with an expiration date. This means that after a certain amount of time, you have to purchase a renewal. Afterwards, you need to install the renewed SSL certificate on your web server. Because of the extra cost and work involved, only a few website operators went through this effort. Typically just online financial institutions and the larger online shops went through this effort.

This all changed when Let’s Encrypt launched in April of 2016. Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group. They made it their mission to help secure online communication. As such, they offer SSL certificates for free together with tools for easy installation and renewal. Thanks to Let’s Encrypt every web server administrator can quickly and easily install an SSL certificate. It protects their website users and comes at no extra cost. This article teaches you how you can generate a free Let’s Encrypt SSL certificate and install it on your Debian based web server in a way that it automatically renews.

What you need

To install a Let’s Encrypt SSL certificate on your Debian based server, you just need an online Debian server with the Apache HTTP server installed. For this article I prepared a Debian virtual private server (VPS) at Linode, installed a LAMP stack on it and configured it for the theplblog.com domain name; A domain name I obtained purely for testing and experimenting.

If you do not yet have a Debian based web server, you can quickly set one. Just follow the information in the following two articles:

For testing out the procedure to install a Let’s Encrypt SSL certificate on your Debian web server, you do not necessarily need your own domain name. The Linode generated one (xyz.members.linode.com) suffices. However, if you want to use your own domain name for your Linode VPS, follow the instructions in this article:

After installing a LAMP stack on my Debian server, the Apache default test page is available. This is what it looks like before the Let’s Encrypt SSL certificate installation on this Debian web server, when I visit http://www.theplblog.com:

Web browser screenshot that shows the default Apache welcome page after installing a LAMP stack. It highlights that the website is not yet secured with an SSL certificate.

If I try to access a secure version of the page (with https://) the following happens:

Web browser screenshot that shows what happens if you try to access a website via HTTPS if you do not yet have an SSL certificate installed.

As you can see in, the website is not yet secured with an SSL certificate and not yet available via https://. In the sections below, we will install a Let’s Encrypt SSL certificate on this Debian web server, to enable the secure access to the website using https://. Furthermore, the installation will be such that access to http:// automatically redirects to the secure https:// version of the website.

Install the Certbot tools

The Certbot package contains tools for generating, installing and renewing Let’s Encrypt SSL certificates. Since this article assumes that the Apache HTTP server forms the foundation of your web server, we just need to install the python3-certbot-apache package. The Debian package repository already includes the python3-certbot-apache package. This means that we just need to run the following command on the Debian server to install it:

sudo apt install python3-certbot-apache

Terminal screenshot that shows the output of installing the python3-certbot-apache package. This install the certbot tools on the Debian server, which is needed for generating the Let's Encrypt SSL certificate.

Set the server name in the Apache virtual host

The Certbot tools can generate an SSL certificate that links to one or more domains. Afterwards it can even automatically configure the SSL certificate for the Apache virtual host for the same domain(s). This automatic configuration of the Apache virtual host only works, if the ServerName directive (and optionally the ServerAlias directive) is properly configured.

From the perspective of just the Apache HTTP server, you do not need a properly configured ServerName directive, if you only have one enabled virtual host site on your server. Therefore you might not yet have the ServerName directive configured, just like me.

In my case I want the website on my Debian web server to be accessible using domain www.theplblog.com and theplblog.com as an alias. I already created the corresponding DNS records for my Linode VPS and configured these domains in /etc/hosts. Refer to this article for details on how to achieve this. Since I did not yet configure the ServerName and ServerAlias directives in the related Apache virtual host configuration file, let’s proceed and take care of this configuration now.

As a first step we need to figure out where the name of the Apache virtual host configuration file. Run the following command to list all enabled Apache virtual host configuration files:

ls /etc/apache2/sites-enabled/

Terminal screenshot that shows the contents of the /etc/apache2/sites-enabled directory. This directory lists the Apache virtual host configuration files of all currently enabled websites.

As expected, my server lists just one enabled Apache virtual host. It’s the default site that Debian creates when installing Apache. The one that serves files out of the /var/www/html/ directory.

Now that we know the name and location of the enabled Apache virtual host configuration file, we can edit it with Nano to configure the ServerName (and optionally the ServerAlias) directive:

sudo nano /etc/apache2/sites-enabled/000-default.conf

In my case I want to set ServerName to www.theplblog.com and ServerAlias to theplblog.com. Update these values for your domain name accordingly. Note that you leave out ServerAlias, in case you have no need for an alias. After editing the 000-default.conf file, it looks like this for me:

Screenshot of editing the 000-default.conf Apache virtual host configuration file. It highlights how the ServerName and (optional) ServerAlias directives were added. This is needed by the Certbot tools.

We just changed an Apache related configuration file. For this reason, we should restart the Apache HTTP server to make sure the changes take effect:

sudo systemctl restart apache2

Generate and install the SSL certificate

With the Certbot package installed, we can continue with the actual generation and installation of the Let’s Encrypt SSL certificate on the Debian web server. Kick off this procedure by running the command:

sudo certbot --apache

The program asks you a few basic questions. For example your e-mail address, if you accept their terms and services and if you would like to subscribe to their newsletter. Double-check that you entered a valid e-mail address. In case the automatic SSL certificate renewal fails sometime in the future, Let’s Encrypt sends you an e-mail before the SSL certificate actually expires.

Terminal screenshot with part 1 of the Let's Encrypt SSL certificate generation for the Debian server using command sudo certbot --apache

CertBot goes on by extracting the configured ServerName and ServerAlias values from all enabled Apache virtual host sites. It then lists these and asks you for which you would like to configure the SSL certificate, such that secure access via https: // works. For my server, I selected both listed names:

Terminal screenshot with part 2 of the Let's Encrypt SSL certificate generation using command sudo certbot --apache

As a final step, Certbot wants to know if it should add a rewrite rule to the original Apache virtual host configuration file to automatically redirect http:// requests to https://. I highly recommend this, so select option 2 here:

Terminal screenshot with part 3 of the Let's Encrypt SSL certificate generation using command sudo certbot --apache

After a successful completion, the remainder of the output looks like:

Terminal screenshot with the final part of the Let's Encrypt SSL certificate generation using command sudo certbot --apache

According to the output, Certbot stored the actual SSL certificate in /etc/letsencrypt/live/theplblog.com/fullchain.pem. It also automatically configured the Apache virtual host such that www.theplblog.com and theplblog.com can now be securely accessed through https://. Also note that the Let’s Encrypt SSL certificate for the Debian server is valid for about 3 months. I ran this command on the 28 of October 2020 and it lists an expiration date of the 26th of January 2021. We’ll cover automatic renewal in a bit. Let’s first verify that secure HTTPS access works.

Verify that secure HTTPS access now works

In the previous section we ran the Certbot program to generate and install the Let’s Encrypt SSL certificate on the Debian web server. Let’s go ahead and verify that it works. Before jumping right in, keep in mind that Certbot changed the Apache virtual host configuration file and even added a new one: 000-default-le-ssl.conf. Because of this, we should first restart the Apache HTTP server for the changes to take effect:

sudo systemctl restart apache2

If I now open up my web browser and enter http://www.theplblog.com (or http://theplblog.com), I see this:

Web browser screenshot of visiting the website after installing the Let's Encrypt SSL certificate on the Debian web server. As expected, it shows the lock icon in the URL address bar and HTTP requests are automatically redirected to HTTPS.

The Apache HTTP server automatically redirected me to https:// and used the SSL certificate, as you can see by the little lock icon on the left side of the URL. In a nutshell: exactly what we wanted! Visitors of the website can now feel safe and secure.

Let’s Encrypt SSL certificate renewal on Debian

Remember that the generated SSL certificate expires in three months? Well here’s the cool thing about installing the Let’s Encrypt SSL certificate on Debian, as outlined in this article: a CRON job was automatically added that takes care of the SSL certificate renewal.

Terminal screenshot that lists the contents of the /etc/cron.d directory. It highlights the presence of the certbot CRON job file.

Feel free to inspect the /etc/cron.d/certbot file with the Nano editor. It basically runs the following command as the root user twice a day:

certbot renew

If the certificate is within thirty days of expiration, the certbot renew command automatically renews the certificate for you. With other words, if you generated and installed your Let’s Encrypt SSL certificate on your Debian server as outlined in this article, your system automatically manages SSL certificate renewal for you. It doesn’t get easier than that.

I’ve used Let’s Encrypt SSL certificates this way on several production Debian servers in the past four years. The SSL certificate renewal always worked. I do make it a habit to periodically check the expiration date of the SSL certificates, just to make sure. You can run the following command to obtain the current expiration date:

sudo certbot certificates

Terminal screenshot that shows how you can check when the Let's Encrypt SSL certificate expires on your Debian server. The command certbot certificates was issues for this.

What to do if the Let’s Encrypt SSL certificate renewal somehow did not work on your Debian server? Not a problem, just run the following command manually:

sudo certbot renew

If you just want to see if the renewal process would potentially run without issues, you can do a so called dry run. This simulates the SSL certificate renewal process and you can use it for debugging purposes in case something is wrong:

sudo certbot renew --dry-run

Terminal screenshot that  shows how you can do a dryrun with certbot to simulate the Let's Encrypt SSL certificate renewal on your Debian server.

Wrap up

In this article you learned how to generate and install a free Let’s Encrypt SSL certificate on your Debian web server. Visitors to the website hosted on this server can now feel safe and secure.

Although the article might seem a bit lengthy, the process is actually quite simple:

  • Install the python3-certbot-apache package on your Debian server.
  • Make sure you properly configured the ServerName directive in your Apache virtual host configuration file.
  • Run the command sudo certbot --apache to generate and install the SSL certificate.

That’s all. Your Debian system even takes care of automatically renewing the Let’s Encrypt SSL certificate for you. In the past years I used Let’s Encrypt SSL certificates on several Debian production servers and in my experience, it works flawlessly.

PragmaticLinux

Long term Linux enthusiast, open source software developer and technical writer.

View all posts by PragmaticLinux →

One thought on “Install a free Let’s Encrypt SSL certificate on Debian 10

Comments are closed.