How to Secure Apache with Let’s Encrypt on Debian 12

Introduction

Before we begin talking about how to secure Apache with Let’s Encrypt on Debian 12, let's briefly understand – What is Let's Encrypt?

Let's Encrypt is a free and automated certificate authority (CA) that provides SSL/TLS certificates for secure websites. It ensures that web traffic is encrypted, protecting user data and boosting website security. Let's Encrypt simplifies the certificate issuance process by automating the verification and renewal steps.

This non-profit initiative aims to create a more secure web for everyone. With Let's Encrypt, website owners can easily protect their users' privacy and gain the trust of visitors.

In this tutorial, you will secure Apache with Let’s Encrypt on Debian 12. We will also address a few FAQs on how to secure Apache with Let’s Encrypt on Debian 12.

Advantages of Let's Encrypt

1. Free: Let's Encrypt offers SSL/TLS certificates at no cost, allowing website owners to secure their sites without financial burden.
2. Automation: With automated certificate issuance and renewal, Let's Encrypt eliminates the need for manual processes, saving time and effort.
3. Security: Let's Encrypt ensures encrypted connections, protecting sensitive data and enhancing website security.
4. Simplicity: Let's Encrypt simplifies the certificate setup and configuration process, making it easy for anyone to secure their website.
5. Trustworthiness: Let's Encrypt is a recognized certificate authority, ensuring that your website's certificate is trusted by all major browsers and devices.

Section 1: Install Certbot for Apache on Debian 12

Installing Certbot for Apache on a Linux system running Debian will be the main topic of this section. A strong tool called Certbot makes it easier to get and set up SSL certificates from Let's Encrypt. Because of its seamless integration with Apache, you can easily enable HTTPS on your servers.

Step 1: Update Debian Package Repositories Before Certbot Installation for Apache

It's important to make sure that all the installed packages on your Debian system are up-to-date before installing Certbot. Installing the most recent version of Certbot and dependencies is ensured by keeping the system updated. To upgrade the current packages and update the package repositories, run the following commands:

sudo apt update && sudo apt upgrade

Step 2: Install Certbot and Apache Plugin on Debian

Installing Certbot and its Apache plugin is the next step after updating your Debian system. Because it allows Certbot to communicate with Apache, automating the process of obtaining and renewing certificates as well as setting Apache to use them, the Apache plugin is crucial. To install the Apache plugin and Certbot, run the following command:

sudo apt install certbot python3-certbot-apache

Section 2: Setting Up Apache and Let’s Encrypt Certificate on Debian 12

This section will walk you through setting up Apache and using Certbot to create a Let's Encrypt SSL certificate for your domain. We'll also go over how to use different options to make your server configuration more secure.

Step 1: Certbot Configuration and SSL Certificate Generation on Apache with Debian

The next step is to launch Certbot to create an SSL certificate for your domain after installing Certbot and its Apache plugin. The command offers multiple security-optimization options.

An overview of the options used is provided below:

• --apache: Indicates that Apache is the web server being used.
• --agree-tos: Demonstrates your acceptance of the terms of service of Let's Encrypt.
• --redirect: 301 redirects all HTTP traffic to HTTPS permanently, making sure that all data is encrypted.
• --hsts: Adds a header called Strict-Transport-Security to mandate secure connections.
• --staple-ocsp: Permits OCSP Stapling, which improves SSL negotiation efficiency without compromising user privacy.
• --email: The email address you can use to receive notifications about your SSL certificate, like security alerts and reminders to renew it.

Change your email address to you@example.com and your domain name to yourdomain.com. Run the following command:

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d yourdomain.com

Certbot will create an SSL certificate for your domain, set up Apache to use it, and apply the designated security settings after it has successfully executed. Your website will now be reachable via HTTPS, and your server will be secure.

Step 3: Alternative Certbot Configuration Method with Apache on Debian

Certbot offers an alternative method that asks you for information and configuration choices if you prefer a more guided and interactive approach. Here's how to apply this technique:

Execute the following command:

sudo certbot --apache

An interactive session will be started by Certbot. A guide to the prompts you might see is provided below:

• Enter email address (used for urgent renewal and security notices): Give your email address. This will be used by Let's Encrypt to communicate with you about your certificates.
• Agree to the Let’s Encrypt terms of service: Accepting the terms of service will be required of you. Enter A to indicate agreement.
• Share your email with the Electronic Frontier Foundation for updates on their work: Enter Y for "yes" if you wish to support the EFF. If not, enter N for "no."
• Which names would you like to activate HTTPS for: The domain names that Certbot is able to issue certificates for will be shown. Enter the numbers for each of your domains, or leave them all blank.
• Select the appropriate action: You will be given an option to either:

1: Attempt to reinstall the certificate

2: Renew & replace the certificate (limit ~5 per 7 days)

Select the option that suits your needs.

• Choose whether or not to redirect HTTP traffic to HTTPS: You'll be prompted to switch from HTTP to HTTPS traffic. This is generally recommended for websites:

1: No redirect – Make no further changes to the webserver configuration.

2: Redirect – Make all requests redirect to secure HTTPS access.

Select option 2 for better security.

Certbot will produce a message similar to the one above after you have followed all of the prompts and the process is finished, indicating where your certificate files are located and providing additional details.

Section 3: Automating SSL Certificate Renewal with Cron on Debian and Apache

In this section, we'll configure your SSL certificates to renew automatically via Cron, a job scheduler that comes installed on Linux-based systems. Let's Encrypt SSL certificates have a ninety-day expiration date, so in order to prevent service interruptions, you must renew them before then. The command for renewing certificates is provided by Certbot, and we can use Cron to automate this process.

Step 1: Dry Run of Certificate Renewal

Make sure the renewal command functions as intended before automating the renewal procedure. We can accomplish this by carrying out a "dry run," which mimics the procedure of certificate renewal without actually altering the certificates. To start a dry run, enter the following command:

sudo certbot renew --dry-run

Step 2: Scheduling Automatic Certificate Renewals

If everything goes smoothly during the dry run, we can arrange for automatic certificate renewals. The renewal command will be executed daily at a predetermined time thanks to Cron.

Initially, use the following command to open the crontab file in edit mode:

sudo crontab -e

To schedule a daily renewal check at 2:30 AM, add the following line at the end of the file:

30 2 * * * /usr/bin/certbot renew --quiet

Unless there is an error, the renewal process will run in the background silently and without producing any output thanks to the --quiet option.

Save the file and close it after adding this line. You have now configured your SSL certificates to renew automatically. Every day, Cron will determine which certificates require renewal and will take appropriate action. In order to maintain a secure user connection, this makes sure that your Apache server always uses valid SSL certificates.

Section 4: Enhance Apache SSL Configuration on Debian 12

We'll adjust the SSL configuration on your Apache server in this section to maximize its performance. This include configuring SSL protocols and ciphers, enabling HTTP/2, configuring HTTP Strict Transport Security (HSTS), and setting up SSL certificates. The Apache modules mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_header are needed for this configuration.

Edit the Apache Configuration File

You must first open the Apache configuration file for your domain. Run the following command:

sudo nano /etc/apache2/sites-available/your_domain.conf

This launches the domain configuration file in nano, a text editor. After gaining access, modify the VirtualHost block as follows.

Redirect HTTP to HTTPS

For every HTTP request, we will first create a rule that will reroute it to HTTPS, making sure that connections to your server are safe. Requests to the .well-known/acme-challenge/ directory are not allowed under this rule, since Certbot uses it to validate domains while issuing certificates. Include the subsequent setup in the <VirtualHost *:80> block:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

Enable SSL and Specify Certificates

Next, we'll enable SSL and provide the paths to your SSL certificate and private key inside the <VirtualHost *:443> block:

SSLEngine on
SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
SSLCertificateKeyFile   /path/to/private_key

The paths to your SSL certificate file and private key file should be replaced with /path/to/signed_cert_and_intermediate_certs and /path/to/private_key, respectively.

Enable HTTP/2

If HTTP/2 is available, we'll enable it to boost performance:

Protocols h2 http/1.1

Implement HSTS

A Strict-Transport-Security header will also be added to enforce secure connections:

Header always set Strict-Transport-Security "max-age=63072000"

Configure SSL Protocols and Ciphers

The SSL protocols and ciphers that should be utilized to guarantee maximum security and compatibility are as follows:

SSLProtocol                        all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite                  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder    off
SSLSessionTickets            off

Enable OCSP Stapling

Lastly, we'll activate OCSP stapling, a feature that enhances SSL negotiation efficiency while preserving visitor privacy:

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Validate and Apply the Changes

Save the file and close it when you're finished. Making sure there are no syntax errors in your Apache configuration is essential. Use this command to verify:

sudo apachectl configtest

Reload Apache to apply the changes if there are no problems:

sudo systemctl restart apache2

FAQs to Secure Apache with Let’s Encrypt on Debian 12

Conclusion

We hope this tutorial helped you understand how to Secure Apache with Let’s Encrypt on Debian 12.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.