How To Install Let’s Encrypt On Debian 11

lets encrypt logo header

In this tutorial you will learn how to Install LAMP and Let’s Encrypt SSL on Debian 11.

LAMP is short for Linux, Apache, MySQL, PHP. Its a term used when we are building a standard web server which is includes the operating system, the web server software, the database software and the server side scripting language to pull it all together.

Let’s Encrypt is a free service that allows us to secure our websites with an SSL, this encrypts the traffic from the server, to your web browser. Traditionally we would need to buy an SSL certificate from a 3rd party such as Comodo, this requires creating a certificate request, sending it to Comodo to be signed, then installing the certificate they provide. This can be time consuming. Let’s Encrypt allows us to do this on the server automatically, more importantly its free.

It always seems impossible until its done.The future belongs to those who believe in the beauty of their dreams.

Eleanor Roosevelt


  • You will need a Server from a reliable provider like Sebae
  • Your Server should be the latest Debian release, currently 11
  • You will need root access to the server

Like most Operating Systems, they should be kept up to date. We have created an article that shows how to keep your Debian release up to date, leaving you do to other things.

You can follow our tutorial on how to keep Debian automatically updated.

Before You Begin

Login to your VPS as root, and get the OS up to date.

apt update && apt upgrade

let the process run, once finished Debian should be ready.

Step 1: Install LAMP On Debian 11

First of all, we need to download and install our LAMP stack on Debian. To do this run the following command:

apt-get install apache2 mariadb-server php php-cli php-common libapache2-mod-php wget -y

Next run the following commands to enable the services so they start at reboot, note this should be already done automatically as part of the install.

systemctl start apache2
systemctl enable apache2
systemctl start mariadb
systemctl enable mariadb

Once complete, we can verify Apache is running with the following command;

systemctl status apache2

The output should be similar as below

root@debtraining:~# systemctl status apache2
* apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-10-26 20:47:21 UTC; 42s ago
 Main PID: 12485 (apache2)
    Tasks: 55 (limit: 38054)
   Memory: 4.9M
      CPU: 48ms
   CGroup: /system.slice/apache2.service
           |-12485 /usr/sbin/apache2 -k start
           |-12486 /usr/sbin/apache2 -k start
           `-12487 /usr/sbin/apache2 -k start

Oct 26 20:47:21 debtraining systemd[1]: Starting The Apache HTTP Server...
Oct 26 20:47:21 debtraining systemd[1]: Started The Apache HTTP Server.

You can also verfiy Apache is accessible by entering the URL of your server like this:


If everything is looking like the above then we now have Apache & MariaDB installed and running.

Step 2: Create A New Apache Virtual Host

Now we need to create a virtual host which is essentially another website running on the same server.

To create it run the following command:

nano /etc/apache2/sites-available/ 

Add the following lines to the file:

 <VirtualHost *:80>
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Now save and close the files.

Next, lets enable the new Apache virtual host by running the following command:


Now the new Apache virtual host is active.

Step 3: Installing Let’s Encrypt On Debian 11

Now we have LAMP installed, the next step is to install Let’s Encrypt. To do this we first need to install the Certbot tool.

Run the following command to install the package:

apt -y install certbot python3-certbot-apache

Now we can run the tool to get Let’s Encrypt certifificates. Please note, you must have a valid domain for this to work.

The server must also be contactable from the internet on ports 80 and 443, if not the process will fail.

Lets get our certificate by running the following command:

certbot --apache -d

When you first run the command, the wizard will ask you to agree to the licence agreement and ask you to provide an email address.

Next the wizard will run the http challange request and obtain the Let’s Encrypt certificate.

The wizard will also ask if you wish to configure https redirection, simply accept this by entering number 2 and the wizard will redirect all traffic on port 80 to 443 (SSL). This is the correct way to setup SSL.

Now your website is secured with an SSL certificate.

Step 3: Check Let’s Encrypt Automatic Renewal

The Let’s Encrpt certifcates have a defaut life time of 3 months and the certbot’s automated renewal process is configured to renew when there is less than 30 days remaining.

To check the timer is running, run the following command:

systemctl status certbot.timer

The output should look like this


Finally we can test a dry run of the renewal process by running the following command:

certbot renew --dry-run

The installation is now complete and your site is now secured by an SSL.

If your running a highly secure website, such as passing sensitive customer data then we still recommend you purchase a 3rd party SSL certificate. Although Let’s Encrypt is free to use, the short life time can potentially leave your site insecure if the automatic renewal process fails to renew.

Now we have learned how to install LAMP and Let’s Encrypt SSL on Debian 11.

If you would like further help you can get in touch with us.

Leave a Reply
Previous Post
Microsoft Security Header

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

Next Post
Teams Logo Header

Microsoft Teams performance improves with framework upgrade

Related Posts