This comprehensive guide walks you through installing Apache web server on Ubuntu/Debian and securing it with a free SSL/TLS certificate from Let's Encrypt using Certbot.
Prerequisites
Before starting, ensure you have:
- A Ubuntu/Debian server with sudo privileges
- A registered domain name pointing to your server's IP address
- Port 80 and 443 open in your firewall
Step 1: Update Your System
Start by updating your package repository to ensure you have access to the latest software versions:
sudo apt update
Step 2: Install Apache Web Server
Install the Apache HTTP server package:
sudo apt install apache2
Step 3: Verify Apache Installation
Check if Apache is running properly:
sudo systemctl status apache2
If the service shows as "active (running)", Apache is working correctly. If not, proceed to the next step.
Step 4: Start Apache Service (If Needed)
If Apache isn't running, start it manually:
sudo systemctl start apache2
Step 5: Enable Apache Auto-Start
Configure Apache to start automatically when your server boots:
sudo systemctl enable apache2
Step 6: Test Apache Installation
Open your web browser and navigate to your server's public IP address or domain name. You should see the Apache2 Ubuntu Default Page, confirming that Apache is serving web pages correctly.
Step 7: Install Certbot for SSL Certificate
Install Certbot and the Apache plugin to obtain and manage SSL certificates:
sudo apt install certbot python3-certbot-apache
Step 8: Obtain SSL Certificate
Request an SSL certificate for your domain. Replace example.com
with your actual domain name:
sudo certbot --apache -d example.com -d www.example.com
Important: Make sure your domain's DNS records are properly configured and pointing to your server before running this command.
Step 9: Complete Certbot Configuration
During the certificate installation, Certbot will prompt you for:
- Email address: Required for certificate renewal notifications
- Terms of Service: You must agree to Let's Encrypt's terms
- HTTP to HTTPS redirect: Choose whether to redirect all HTTP traffic to HTTPS (recommended)
Certbot will automatically configure your Apache virtual host files to use the new SSL certificate.
Step 10: Verify SSL Configuration
Test your SSL installation by visiting your website using HTTPS:
https://example.com
Look for the padlock icon in your browser's address bar, which indicates a secure connection.
Step 11: Confirm Automatic Renewal
Let's Encrypt certificates expire every 90 days. Verify that automatic renewal is configured:
sudo systemctl status certbot.timer
The timer should show as "active (waiting)", ensuring your certificates will renew automatically.
Verification and Testing
Test Certificate Renewal
You can test the renewal process without actually renewing:
sudo certbot renew --dry-run
Check SSL Certificate Details
View your certificate information:
sudo certbot certificates
Troubleshooting
Verify DNS Configuration
If certificate installation fails, verify your DNS records are correct:
nslookup www.example.com
Or use dig for more detailed information:
dig example.com A
dig www.example.com A
Common Issues
- DNS not propagated: Wait 24-48 hours after changing DNS records
- Firewall blocking: Ensure ports 80 and 443 are open
- Domain validation failed: Check that your domain points to the correct IP address
Security Best Practices
- Regular Updates: Keep Apache and your system updated
- Strong SSL Configuration: Consider using tools like SSL Labs to test your SSL configuration
- Security Headers: Add security headers to your Apache configuration
- Regular Certificate Monitoring: Monitor certificate expiration dates
Conclusion
Your Apache web server is now successfully configured with SSL/TLS encryption. Your website is accessible securely over HTTPS, and certificate renewal is automated. Visitors to your site will see the secure padlock indicator, building trust and ensuring data protection.
Remember to keep your system updated and monitor your SSL certificate status regularly for optimal security.