Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

I'm using on
No javascript? See all setup instructions here. Read the full documentation here.

Apache on Debian 8 (jessie)

Automated
Advanced

Install

Note for existing Debian 8 Certbot users

NOTE: We previously suggested using the operating system-provided packaged version of Certbot on Debian 8 (jessie). Because of important updates in the Certbot code, we are now recommending that Debian 8 users switch to the certbot-auto method, described below.

If this is your first time installing Certbot on your Debian 8 system, you do not need to do anything else before installing certbot-auto. But if you've previously installed Certbot via apt-get on your Debian 8 system, we recommend uninstalling the packaged version before continuing with the other steps below, in order to avoid potential conflicts between the two versions. You can do this with

sudo apt-get remove certbot

If you don't remember whether or not you've installed the packaged version of Certbot, there is no harm in running this command; if the packaged version of Certbot isn't installed on your system, the command has no effect. Uninstalling the packaged version of Certbot does not delete your existing certificates, if any.

Installing certbot-auto on your system

Since it doesn't seem like your operating system has an up-to-date packaged version of Certbot, you should remove any previously installed packaged version, if applicable, and then use our certbot-auto script to get an up-to-date copy:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically.

Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

Get Started

Certbot has an Apache plugin, which is supported on many platforms, and automates certificate installation.

$ sudo ./path/to/certbot-auto --apache

Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:

$ sudo ./path/to/certbot-auto --apache certonly
To learn more about how to use Certbot read our documentation.

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo ./path/to/certbot-auto renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
./path/to/certbot-auto renew

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew 

More detailed information and options about renewal can be found in the full documentation.

Install

Note for existing Debian 8 Certbot users

NOTE: We previously suggested using the operating system-provided packaged version of Certbot on Debian 8 (jessie). Because of important updates in the Certbot code, we are now recommending that Debian 8 users switch to the certbot-auto method, described below.

If this is your first time installing Certbot on your Debian 8 system, you do not need to do anything else before installing certbot-auto. But if you've previously installed Certbot via apt-get on your Debian 8 system, we recommend uninstalling the packaged version before continuing with the other steps below, in order to avoid potential conflicts between the two versions. You can do this with

sudo apt-get remove certbot

If you don't remember whether or not you've installed the packaged version of Certbot, there is no harm in running this command; if the packaged version of Certbot isn't installed on your system, the command has no effect. Uninstalling the packaged version of Certbot does not delete your existing certificates, if any.

Installing certbot-auto on your system

Since it doesn't seem like your operating system has an up-to-date packaged version of Certbot, you should remove any previously installed packaged version, if applicable, and then use our certbot-auto script to get an up-to-date copy:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it is a wrapper that installs all of its own dependencies and updates the client code automatically.

Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

Get Started

Certbot has an Apache plugin, which is supported on many platforms, and automates certificate installation.

$ sudo ./path/to/certbot-auto --apache

Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:

$ sudo ./path/to/certbot-auto --apache certonly
To learn more about how to use Certbot read our documentation.

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo ./path/to/certbot-auto renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
./path/to/certbot-auto renew

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew 

More detailed information and options about renewal can be found in the full documentation.