# Securing Apache with an SSL certificate from Let's Encrypt

***

In this guide, we'll demonstrate how to set up Let's Encrypt with Apache in Debian 13 and Ubuntu 24.04.

## Prerequisite

Before issuing an SSL certificate, you need to have set up a basic virtual host for your domain in Apache. Such a virtual host file can look like this:

{% code title="/etc/apache2/sites-available/example.com.conf" %}

```
<VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        ServerAdmin webmaster@example.com
        DocumentRoot /var/www/example.com

        <Directory /var/www/example.com>
            Options Indexes FollowSymLinks
            AllowOverride AuthConfig
            Require all granted
        </Directory>
</VirtualHost>
```

{% endcode %}

The virtual host also needs to be enabled if it hasn't been so already:

{% code title="Command" %}

```
sudo a2ensite example.com
```

{% endcode %}

## Setting up an SSL certificate

Generating an SSL certificate for Apache with Certbot is straightforward. The client automatically retrieves and installs new certificates that are valid for the domains specified as parameters.&#x20;

Certbot also creates a new virtual host that listens on HTTPS (port 443) for the domain. And as a final piece of the puzzle, Certbot also sets up a cron job to renew the certificate before it expires.

Let's start by installing Certbot:

{% code title="Multiple commands" %}

```
sudo apt update
sudo apt install python3-certbot-apache
```

{% endcode %}

Next, you can issue a certificate for the domain in the virtual host using `certbot`. Make sure to include the `--apache` option, as this creates all the necessary configurations for Apache, including redirection from HTTP to HTTPS.&#x20;

Enter all domains and subdomains that you wish to be included in the certificate using the `-d` option. Enter the main certificate first, as the certificate files will be named after this. Once you execute the command, you'll be prompted to enter your email address and to accept Let's Encrypt's terms of service.

It will look similar to this:

<pre data-title="Commands and prompts (commands, inputs and prompts are highlighted)"><code><strong>certbot --apache -d example.com -d www.example.com
</strong>Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
<strong> (Enter 'c' to cancel): my-user@example.com
</strong>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<strong>(Y)es/(N)o: y
</strong>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<strong>(Y)es/(N)o: n
</strong>Account registered.
Requesting a certificate for example.com and www.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2026-01-23.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Successfully deployed certificate for www.example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://example.com and https://www.example.com

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in 
  the background, but you may need to take steps to enable that functionality. 
  See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
</code></pre>

Everything is now set up for you. Verify that the site is working by visiting both its http\:// and https\:// URL. Any requests to http\:// will be redirected to the https\:// URL, and is secured by the new Let's Encrypt SSL certificate.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.glesys.com/products/compute/guides-for-server-management/securing-apache-with-an-ssl-certificate-from-lets-encrypt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.