Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

I'm using on
No javascript? See all setup instructions here. Read the full documentation here.

Apache on Debian 9 (stretch)

Automated
Advanced

Install

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

First you'll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so. Then run:

$ sudo apt-get install python-certbot-apache -t stretch-backports

Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

Get Started

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates certificate installation.

Due to a security issue, Let's Encrypt has stopped offering the mechanism that the Apache plugin previously used to prove you control a domain. You can read more about this here.

We released a new version of Certbot to work around this, but it hasn't been packaged by your OS yet. If you have to obtain a certificate and cannot wait, you have a couple of options. If you're serving files for that domain out of a directory on that server, you can run the following command:

$ sudo certbot --authenticator webroot --installer apache

This command will get a certificate for you and have Certbot edit your Apache configuration to automatically serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand. To see instructions on how to use this subcommand, select "None of the above" in the first drop-down menu above. If you're not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate; however, you'll have to configure Apache to use the certificate yourself. The command to do this would something look like:

$ sudo certbot certonly --authenticator standalone --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

If you usually use a command like systemctl or service to start and stop Apache, you should use those commands instead in the hooks above. By using a command with hooks like this, if you automate renewal as described below, Certbot will automatically stop and start Apache when you need to renew your certificates. If you configure Apache to use the symlinks in the "live" directory as instructed by Certbot, Apache will automatically begin using any renewed certificates.

To learn more about how to use Certbot read our documentation. </p>

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

More detailed information and options about renewal can be found in the full documentation.

Install

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

First you'll have to follow the instructions here to enable the Stretch backports repo, if you have not already done so. Then run:

$ sudo apt-get install python-certbot-apache -t stretch-backports

Certbot's DNS plugins which can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server are not available for your OS yet. This should change soon but if you don't want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

Get Started

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates certificate installation.

Due to a security issue, Let's Encrypt has stopped offering the mechanism that the Apache plugin previously used to prove you control a domain. You can read more about this here.

We released a new version of Certbot to work around this, but it hasn't been packaged by your OS yet. If you have to obtain a certificate and cannot wait, you have a couple of options. If you're serving files for that domain out of a directory on that server, you can run the following command:

$ sudo certbot --authenticator webroot --installer apache

This command will get a certificate for you and have Certbot edit your Apache configuration to automatically serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand. To see instructions on how to use this subcommand, select "None of the above" in the first drop-down menu above. If you're not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate; however, you'll have to configure Apache to use the certificate yourself. The command to do this would something look like:

$ sudo certbot certonly --authenticator standalone --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

If you usually use a command like systemctl or service to start and stop Apache, you should use those commands instead in the hooks above. By using a command with hooks like this, if you automate renewal as described below, Certbot will automatically stop and start Apache when you need to renew your certificates. If you configure Apache to use the symlinks in the "live" directory as instructed by Certbot, Apache will automatically begin using any renewed certificates.

To learn more about how to use Certbot read our documentation. </p>

Automating renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

More detailed information and options about renewal can be found in the full documentation.