Lets Encrypt Installation for Debian 10

0
(0)

Apache with Let’s Encrypt on Debian 10

Let’s Encrypt is a certificate authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that tries to automate most of the required steps. Let’s Encrypt uses the ACME protocol (ACMEv2) to verify the domain name and control and issue the certificate. Currently, the entire process of obtaining and installing a certificate on both Apache and Nginx is fully automated.

In this tutorial, Certbot is used to obtain a free SSL certificate for Apache on Debian 10 and to set up certificates automatically.

Conditions

  • A Debian 10 server, a non-root user with sudo permissions is created and a firewall (ufw or firewalld) is set up.
  • A fully registered domain name, for example, unblog.ch.
  • Both of the following DNS records are set up for the server.
    • An A record for my_domain points to the server’s public IP address.
    • An A record for www.my_domain points to the server’s public IP address.
  • Apache is installed by following the instructions to install LAMP Stack on Debian. Make sure that a virtual hosts file is set up for the domain. This tutorial uses /etc/apache2/sites-available/my_domain.conf as an example.

Note: Currently, Certbot is not available by default in the Debian software repositories. To install Certbot as a snap on Debian, snapd must first be installed on the server. snapd is a daemon that is required to install and manage snaps.

Snap is a software distribution system and package management for Linux that works across distributions. The system developed by Canonical supports transactional updates and rollbacks. It was developed by Canonical for Ubuntu and is now also available for other Linux distributions.

Certbot installation on Debian 10

Follow the instructions below from the command line on the Debian server to install the latest version of snapd.

$ sudo snap install core; sudo snap refresh core

Run this command from the command line to install Certbot.

$ sudo snap install --classic certbot

Execute the following statement on the command line to ensure that the certbot command can be executed.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

This command to retrieve a certificate and to let Certbot automatically edit the Apache configuration by enabling HTTPS access in a single step.

$ sudo certbot --apache

If you want to make the changes to the Apache configuration yourself, you can execute this command.

$ sudo certbot certonly --apache

Testing the automatic renewal of certificates is done with the following command.

$ sudo certbot renew --dry-run

To check the whole thing, visit https://my_domain/ in the browser of your choice look for the lock icon in the URL line.

Setting up the SSL certificate

Certbot must find the correct virtual host in the Apache configuration so that SSL can be configured automatically.This is done in particular by looking for the ServerName statement that corresponds to the domain for which a certificate is to be requested.

To verify, open the virtual hosts file for the domain using vim or nano text editor.

$ vi /etc/apache2/sites-available/my_domain.conf

Look in the row for ServerName The domain name should my_domain.

ServerName my_domain

If you have not already done so, update the ServerName statement to point to the domain name.

Next, check the syntax of the configuration changes.

$ sudo apache2ctl configtest

Certbot offers a variety of ways to obtain SSL certificates through plugins. The Apache plugin takes care of reconfiguring Apache and reloads the configuration if necessary. The following command uses this plugin.

$ sudo certbot --apache -d my_domain -d www.my_domain

It runs certbot with the --apache plugin and uses -dto specify the domain names for which the certificate should be valid.

When you start Certbot for the first time, you will be asked to enter an email address and agree to the Terms of Use. In addition, you will be asked if you are willing to share the email address with the Electronic Frontier Foundation, a non-profit organization that advocates for digital rights and also makes Certbot. Confirm here with Y for the email address or N to decline.

To test the renewal process, the following test run is available.

$ sudo certbot renew --dry-run

Conclusion

In this tutorial, we installed the Let’s Encrypt client, downloaded SSL certificates for the domain, configured Apache to use these certificates, and set up automatic certificate renewal.

Source link: certbot instructions

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *