Debian Tutorials

Debian Tutorials

Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

June 2024


How to set up Let’s Encrypt SSL certificate for a site hosted on Apache web server

Ástþór IPÁstþór IP
Let’s Encrypt is a certificate authority that provides free SSL/TLS certificates that are instantly validated and signed and can be used to secure your web site. Certificates are valid for 90 days but you can easily set up a task to handle the renewal automatically.


This tutorial has been tested on the following Linux distributions:

Debian Linux 9 (Stretch)
Debian Linux 8 (Jessie)

Last updated:
26th of March 2018

We’ll use the certbot to handle the verification and deployment, so the first step is to install certbot.

1. Add the jessie backports apt repository (not needed when running Debian Linux 9, stretch)

echo "deb jessie-backports main" >> /etc/apt/sources.list
apt-get update

2. Install certbot

For Debian Linux 9 (stretch), use the following command:

apt-get install python-certbot-apache

For Debian Linux 8 (jessie), use the following command:

apt-get install -t jessie-backports python-certbot-apache

3. Now that we have certbot installed, let’s request the certificate

certbot --authenticator webroot --installer apache

You will get a list of available hosts that are currently being served by the Apache web server, similar to this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Type a comma seperated list of the hosts that should be included in the certificate, example: 1,2.

4. Select the webroot for each of the selected hosts. The webroot is the base directory for the web site and is required for the verification process. Each domain may or may not have a different webroot.

Once the webroot directories have been verified certboot will automatically request the certificates and create files on the server containing the keys and certificate.

5. In the next step you’ll be asked if HTTPS is required or not. If HTTPS will be required, certbot will configure apache to redirect http requests to the sites to https. Choose whatever suits your needs here.

6. Now you’ll be able to access your hosts on https, ex.

7. The certificate will expire in 90 days from now. You can manually renew the certificates using the same certbot command but it preferred to add a cronjob to handle that automatically.

Open up crontab with your favorite text editor:

crontab -e

And add the following line at the end of the filw:

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

That’s it, now your site is secure and the certificate will be renewed automatically.

Comments 0
There are currently no comments.