Securing Apache with an SSL certificate from Let's Encrypt

Let's Encrypt issues free SSL certificates. By using certbot, you can automate the entire process of issuing and renewing certificates.

In this guide, we'll demonstrate how to set up Let's Encrypt with Apache in Debian 13 and Ubuntu 24.04.

Prerequisite

Before issuing an SSL certificate, you need to have set up a basic virtual host for your domain in Apache. Such a virtual host file can look like this:

/etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/example.com

        <Directory /var/www/example.com>
            Options Indexes FollowSymLinks
            AllowOverride AuthConfig
            Require all granted
        </Directory>
</VirtualHost>

The virtual host also needs to be enabled if it hasn't been so already:

Command

sudo a2ensite example.com

Setting up an SSL certificate

Generating an SSL certificate for Apache with Certbot is straightforward. The client automatically retrieves and installs new certificates that are valid for the domains specified as parameters.

Certbot also creates a new virtual host that listens on HTTPS (port 443) for the domain. And as a final piece of the puzzle, Certbot also sets up a cron job to renew the certificate before it expires.

Let's start by installing Certbot:

Multiple commands

sudo apt update
sudo apt install python3-certbot-apache

Next, you can issue a certificate for the domain in the virtual host using certbot. Make sure to include the --apache option, as this creates all the necessary configurations for Apache, including redirection from HTTP to HTTPS.

Enter all domains and subdomains that you wish to be included in the certificate using the -d option. Enter the main certificate first, as the certificate files will be named after this. Once you execute the command, you'll be prompted to enter your email address and to accept Let's Encrypt's terms of service.

It will look similar to this:

Commands and prompts (commands, inputs and prompts are highlighted)

certbot --apache -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for example.com and www.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2026-01-23.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Successfully deployed certificate for www.example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://example.com and https://www.example.com

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in 
  the background, but you may need to take steps to enable that functionality. 
  See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Everything is now set up for you. Verify that the site is working by visiting both its http:// and https:// URL. Any requests to http:// will be redirected to the https:// URL, and is secured by the new Let's Encrypt SSL certificate.

PreviousTroubleshooting Apache NextSending email from your server using Postfix

Last updated 7 months ago

Was this helpful?

Commands and prompts (commands, inputs and prompts are highlighted)

certbot --apache -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for example.com and www.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2026-01-23.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Successfully deployed certificate for www.example.com to /etc/apache2/sites-available/example.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://example.com and https://www.example.com

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in 
  the background, but you may need to take steps to enable that functionality. 
  See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -