Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time.

In this guide, we will explain how to Secure Apache with Let's Encrypt on Debian 9.

Deploying your cloud server
If you have not already registered with Cloudwafer, you should begin by getting signed up. Take a moment to create an account after which you can quickly deploy your cloud servers.

Once you have signed up, log into your Cloudwafer Client Area with the password provided in your mail and deploy your Cloudwafer cloud server.

Updating System Packages
It is recommended that you update the system to the latest packages before beginning any major installations. Update with the command below:

sudo apt-get update && sudo apt-get upgrade

Note: The user logged in must have sudo privileges to be able to install packages.


  • For the sake of this tutorial, we are going to be using a registered domain with which we are going to use the certificate. If you do not already have a registered domain name, you can register one with Cloudwafer
  • Let's Encrypt validates that you own the domain it is issuing a certificate for. Hence, a DNS A Record that points your domain to the public IP address of your server is required. This guide will be using debian.cloudwaferlabs.com.ng and www.debian.cloudwaferlabs.com.ng as the domain names, hence both DNS records are required.

Step 1: Install Apache
Follow the steps outlined in our guide on installing Apache on Debian 9 to complete this step.

Step 2: Configure a Virtual Host for your domain
Follow the steps outlined in our guide on configuring Virtual Hosts with Apache on Debian 9 to complete this step.

Step 3: Install Certbot
Certbot is a package that allows you to automatically enable HTTPS on your website with EFF's Certbot while deploying Let's Encrypt certificates. Issue the command below to install Certbot:

sudo apt install certbot


Step 4: Generate Strong Dh (Diffie-Hellman) Group
For enhanced security, we are going to generate strong DH group. Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel. Issue the command below to generate a new set of 2048 bit DH parameters run:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 5: Obtain a Let’s Encrypt SSL certificate
The following commands will create the Let's encrypt directory and make it writable for the Apache server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Next, create the following two configurations snippets:

sudo nano /etc/apache2/conf-available/letsencrypt.conf

Enter the following:

Alias /.well-known/acme-challenge/ 
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

sudo nano /etc/apache2/conf-available/ssl-params.conf

Enter the following:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Next, ensure that mod_ssl, mod_headers and HTTP/2 module are enabled by issuing:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod http2

We can now proceed to enable the SSL configuration files by running the following commands:

sudo a2enconf letsencrypt
sudo a2enconf ssl-params

Next, restart Apache for our changes to take effect using the command below:

sudo systemctl restart apache2

Lastly, use the Certbot tool with the webroot plugin to obtain the SSL certificate files :

sudo certbot certonly --agree-tos --email admin@debian.cloudwaferlabs.com.ng --webroot -w /var/lib/letsencrypt/ -d debian.cloudwaferlabs.com.ng -d www.debian.cloudwaferlabs.com.ng

Next, edit your domain virtual host configuration to enforce HTTPS. Modify as required.

<VirtualHost *:80> 
  ServerName debian.cloudwaferlabs.com.ng
  ServerAlias www.debian.cloudwaferlabs.com.ng

  Redirect permanent / https://debian.cloudwaferlabs.com.ng/

<VirtualHost *:443>
  ServerName debian.cloudwaferlabs.com.ng
  ServerAlias www.debian.cloudwaferlabs.com.ng

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.debian.cloudwaferlabs.com.ng'">
    Redirect permanent / https://debian.cloudwaferlabs.com.ng/

  DocumentRoot /var/www/debian.cloudwaferlabs.com.ng/public_html
  ErrorLog ${APACHE_LOG_DIR}/debian.cloudwaferlabs.com.ng-error.log
  CustomLog ${APACHE_LOG_DIR}/debian.cloudwaferlabs.com.ng-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/debian.cloudwaferlabs.com.ng/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/debian.cloudwaferlabs.com.ng/privkey.pem

  # Other Apache Configuration


Next, visit your domain with https://

Step 6 - Setup Auto-renewal
Add the following to your cronjob which will run twice a day and will automatically renew any certificate 30 days before its expiration.

sudo nano /etc/cron.d/certbot

**0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"**