18.07.2025
Target system in this guide is Debian 12. It should also work similarly on Debian 11 and 10.
Let's assume you have a clean apache2 install on Debian 12:
apt install apache2
openssl is usually already installed but you can try to install it explicitly:
apt install openssl
To enable SSL (basically HTTPS) on apache2:
a2enmod ssl
Now copy the default-ssl website config from /etc/apache2/sites-available,
rename it how you wish (in this example we'll rename it to sitename.conf) and enable it:
a2ensite sitename
This command may fail for now, as we don't yet have an SSL certificate, but keep it in mind for later.
Also you want to know how to check your apache2 configuration...
apachectl configtest
...gracefully reload the web server...
apachectl graceful
...or just fully reboot it using systemd.
systemctl restart apache2
Beware that most browsers will still consider your website insecure if you use a self-signed SSL certificate.
It may still be helpful if you need to configure cross-application interactions that work only with HTTPS websites, and you want a simple solution.
To obtain a certificate, just install the ssl-cert package.
apt install ssl-cert
Upon installation, it will automatically generate a certificate and store it at
etc/ssl/certs/ssl-cert-snakeoil.pem
The certificate is valid for 10 years.
apache2 uses this path by default in its config, so you don't need to configure anything else. Excerpt from default apache2 config:
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Now check your apache2 config and reload the web server.
The simplest solution is to use certbot as an ACME client.
certbot installation:
apt install certbot
!! That actually proved to be insufficient on my first test of certbot, so in the end I needed to additionally install python3-certbot-apache package as well.
apt install -y certbot python3-certbot-apache
Now you can obtain your certificate. The base command looks like certbot --apache, but let's take a look at a few important details before we proceed:
1. You need to open port 80 on your web server, as certbot uses an HTTP request to verify your domain. If your server is hidden behind NAT, you'll also need to configure port forwarding. You can undo the changes after obtaining the certificate.
2. certbot --apache automatically updates your apache2 config files.
You can use certonly option to just obtain a certificate without modifying your configs.
3. Upon running, certbot will ask for your email address.
It is useful for monitoring your SSL certificate expiration date.
But if you, like me, prefer to not specify it, you need to use the --register-unsafely-without-email option.
In the end, the command I used for my configuration looked like this:
certbot certonly --apache --register-unsafely-without-email
After completion, certbot tells you where the certificate files are located. By default, it's:
/etc/letsencrypt/live/your.website/fullchain.pem
/etc/letsencrypt/live/your.website/privkey.pem
So now you can specify them in your website's .conf file:
SSLCertificateFile /etc/letsencrypt/live/your.website/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your.website/privkey.pem
Reboot your apache2 server and you're good to go.