How to install Certbot for Apache on Debian to be able to issue Let’s Encrypt certificates.
Let’s Encrypt is a certificate authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that tries to automate most of the required steps. Let’s Encrypt uses the ACME protocol (ACMEv2) to verify the domain name and control and issue the certificate. Currently, the entire process of obtaining and installing a certificate on both Apache and Nginx is fully automated.
In this tutorial, Certbot is used to obtain a free SSL certificate for Apache on Debian 10 and to set up certificates automatically.
Apache web server with certbot certificate on Debian
A Debian 10 server, a non-root user with sudo permissions is created and a firewall (ufw or firewalld) is set up.
A fully registered domain name, for example, unblog.ch.
Both of the following DNS records are set up for the server.
An A record for my_domain points to the server’s public IP address.
An A record for www.my_domain points to the server’s public IP address.
Apache is installed by following the instructions to install LAMP Stack on Debian. Make sure that a virtual hosts file is set up for the domain. This tutorial uses /etc/apache2/sites-available/my_domain.conf as an example.
Note: Currently, Certbot is not available by default in the Debian software repositories. To install Certbot as a snap on Debian, snapd must first be installed on the server. snapd is a daemon that is required to install and manage snaps.
Snap is a software distribution system and package management for Linux that works across distributions. The system developed by Canonical supports transactional updates and rollbacks. It was developed by Canonical for Ubuntu and is now also available for other Linux distributions.
Install Certbot on Debian
Follow the instructions below from the command line on the Debian server to install the latest version of snapd.
$ sudo snap install core; sudo snap refresh core
Run this command from the command line to install Certbot.
$ sudo snap install --classic certbot
Execute the following statement on the command line to ensure that the certbot command can be executed.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Retrieve certificate and let Certbot make Apache ready
This command to retrieve a certificate and to let Certbot automatically edit the Apache configuration by enabling HTTPS access in a single step.
$ sudo certbot --apache
If you want to make the changes to the Apache configuration yourself, you can execute this command.
$ sudo certbot certonly --apache
Testing the automatic renewal of certificates is done with the following command.
$ sudo certbot renew --dry-run
To check the whole thing, visit https://my_domain/ in the browser of your choice look for the lock icon in the URL line.
Setting up the SSL certificate on Debian
Certbot must find the correct virtual host in the Apache configuration so that SSL can be configured automatically.This is done in particular by looking for the ServerName statement that corresponds to the domain for which a certificate is to be requested.
To verify, open the virtual hosts file for the domain using vim or nano text editor.
$ vi /etc/apache2/sites-available/my_domain.conf
Look in the row for ServerName The domain name should my_domain.
If you have not already done so, update the ServerName statement to point to the domain name.
Next, check the syntax of the configuration changes.
$ sudo apache2ctl configtest
Certbot offers a variety of ways to obtain SSL certificates through plugins. The Apache plugin takes care of reconfiguring Apache and reloads the configuration if necessary. The following command uses this plugin.
It runs certbot with the --apache plugin and uses -dto specify the domain names for which the certificate should be valid.
To test the renewal process, the following test run is available.
$ sudo certbot renew --dry-run
In this tutorial, we installed the Let’s Encrypt client, downloaded SSL certificates for the domain, configured Apache to use these certificates, and set up automatic certificate renewal.
This tutorial shows how to install Apache, MariaDB and PHP, call LAMP stack with configuration on a Debian 11 (buster) as a web server complete with Apache/2.4, MariaDB 10, PHP 7.4 and vsftpd as well as Fail2ban and all necessary packages. The estimated time required for the installation is around 10 minutes, at the end of which a web server is ready to use for content management systems. Newly created users for FTP access are automatically chrooted to their own DocumentRoot.
Install Apache MariaDB PHP on Debian Server
We are logged in as root on a Debian 10, first, as always, we have all updates carried out.
First, required packages are provided as a prerequisite for further installation.
apt install ca-certificates apt-transport-https lsb-release gnupg curl vim unzip -y
The Debian repository does not contain the latest PHP versions, so we use the Sury repository.
Now let’s run the script to complete the configuration of the MariaDB server.
When you first ask for the current password, you do not have to enter anything, but simply press the Enter key. Confirm the next question regarding changing the root password with Enter. Now a password is assigned for the root user of the MariaDB server (not Linux root). No characters appear as you type, which is normal. Confirm all of the following questions (deletion of the anonymous user, banning the external root login for security reasons, removing the test database and updating the rights) also with Enter. After that, the MariaDB server is fully installed and configured.
Install phpMyAdmin on Debian with MariaDB
Now able to manage the MariaDB databases on the Debian Server, we install by the command cd /usr/share to change the directory path where phpMyAdmin we would install.
For security reasons, password authentication to the MariaDB server is no longer recommended to log in directly as a root user (i.e. via phpMyAdmin).
Create an additional user with all rights, to do this, we log on to the MariaDB server using the MySQL-Client.
mysql -u root
if everything went well, you are now in the MySQL (MariaDB) prompt.
MariaDB [(none)] >
And then hit the following SQL commands to create the MariaDB user and grant the rights.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;
Replace “username” and “password“with the desired username and password. Finally type exit to leave the MariaDB console.
MariaDB [(none)] > exit
Now you can log in to the MariaDB server with the newly created user (i.e. also via phpMyAdmin).
Enough – your Apache2 web server incl. PHP 7.4, MariaDB server and phpMyAdmin is now ready to use. The phpMyAdmin WebUI can be reached by add /phpmyadmin to the IP address or FQDN in the browser.
Note. you’ll see the following error message at the bottom of the phpmyadmin page when you first log in to /phpmyadmin.
The configuration file now needs a secret passphrase (blowfish_secret).
You need to add a blowfish password to the phpMyAdmin’s config file. Edit config.inc.php and insert a random blowfish passphrase in the line $cfg['blowfish_secret']here as an example:
$cfg['blowfish_secret'] = 'ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Note. if you use vim for editing, you will notice that after entering the insert mode and paste text by press the right mouse key the blockwise Visual mode is turned on — (insert) VISUAL — that behaves undesirably, but this can be quickly solved by disabling the mouse control for vim, let’s do that right away and run echo "set mouse-=a" > ~/.vimrc
Hint. generating a passphrase is easy as the following command shows.
openssl rand -base64 48
# or another 48 characters long
date +%s | sha256sum | base64 | head -c 48 ; echo
Securing and hardening Debian web server
First, the kernel firewall is configured for the web server, only the required services should be allowed incoming. With Debian, the ufw (Uncomplicated Firewall) is enabled by default after installation. The ports required for the web server are opened as follows.
Note: after each change, reload the firewall for the changes to take effect.
Install FTP server with vsftpd on Debian
vsftpd is an FTP server for the old File Transfer Protocol. As an acronym, its name stands for Very Secure File Transfer Protocol Daemon. Whether OpenSSH with sftp is standard on every Linux and FreeBSD, but unfortunately FTP is still widely used.
The vsftpd daemon is installed as follows.
apt install vsftpd -y
Edit the vsftpd configuration file for changes.
We disable anonymous login and allow local users to write.
chroot stands for change root and is a function for Unixoid systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP utility prevents users from accessing files outside its directory. chroot also provides an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf at line chroot_local_user and change there to YES, so also with chroot_list_enable.
All users are assigned chroot, except for some that are exempt, for this the file /etc/vsftpd.chroot_list is created, which contains users who are excluded from chroot.
Create a vsftpd.userlist file and add users to be denied. The service accounts should be rejected, as they are often used for attacks. Add one user per row, example: vsftpd.userlist
Start the vsftpd daemon.
systemctl start vsftpd
fail2ban hardens your web servers
Now it’s a good opportunity to protect your Debian with MariaDB and Apache web server with install fail2ban.
fail2ban is written in Python aims to protect server services against DoS attacks. It checks log files according to predefined patterns and temporarily blocks the corresponding IP addresses in the event of repeated failed access.
fail2ban is installed and configured on Debian as follows.
apt install fail2ban -y
The configuration of fail2ban for a web server with jail filter for watch access to the SSH and FTP service to bann brute-force attacks.
bantime defines the duration of the blocking, here 12 hours (specified in seconds).
findtime defines the duration in which failed attempts can take place, here 10 minutes.
maxretry indicates the number of attempts.
By default, fail2ban is only activated with the SSH filter, further filters are activated with enabled = true.
enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
Fail2ban Jail Filter query status, and verbose output for SSH.
fail2ban-client -vvv status sshd
Note. Since fail2ban 0.10 (IPv6 support) fail2ban executes actionstart IP-family related on demand by first ban per jail, so iptables-multiport would create the chain f2b-sshd only if first IP gets banned in sshd jail.
important tools for the web server as virtual machine