DebianDebian Based

How To Install Certbot on Debian 13

r00t
9 minutes read

Install Certbot on Debian 13

Running your website without HTTPS in 2025 is a serious mistake. Browsers display alarming “Not Secure” warnings, Google pushes HTTP sites lower in search rankings, and visitors have every reason to leave the moment they see that flag. The fix is straightforward — and free. Install a trusted SSL/TLS certificate using Certbot and Let’s Encrypt, and your site becomes encrypted, trusted, and fully compliant with modern web security standards.

This guide walks you through exactly how to install Certbot on Debian 13 (codenamed “Trixie”), the latest stable release of the Debian operating system. You will cover the complete process — from system preparation to obtaining a live certificate and configuring automatic renewal — for both Apache and Nginx web servers. By the end, your server will be serving HTTPS traffic at zero certificate cost.

What Is Certbot and How Does It Work?

Certbot is a free, open-source command-line tool developed and maintained by the Electronic Frontier Foundation (EFF). Its core job is to automate the process of obtaining, installing, and renewing SSL/TLS certificates from Let’s Encrypt — the world’s largest nonprofit certificate authority, operated by the Internet Security Research Group (ISRG).

Under the hood, Certbot uses the ACME (Automated Certificate Management Environment) protocol to communicate with Let’s Encrypt’s servers. The process works like this: Certbot requests a certificate, Let’s Encrypt issues a domain validation challenge (typically the HTTP-01 challenge, which involves placing a temporary file on your web server), and once the challenge passes, the certificate is issued and installed automatically.

Let’s Encrypt certificates are valid for 90 days — deliberately shorter than traditional CA certificates — to minimize risk from compromised credentials and to encourage automation. Certbot handles auto-renewal so you never have to manually reissue a certificate. With over 400 million active certificates issued globally, Let’s Encrypt has become the undisputed industry standard for free, trusted HTTPS.

Why Use Let’s Encrypt SSL on Debian 13?

There are compelling reasons to choose Let’s Encrypt over commercial SSL providers, especially when running a Debian 13 server:

  • Free forever: No subscription fees, no credit card, and no limits on how many certificates you issue.
  • Fully automated: Certbot handles issuance, web server configuration changes, and renewal without any manual steps.
  • Universally trusted: Chrome, Firefox, Safari, Edge, and all major mobile operating systems recognize Let’s Encrypt certificates out of the box.
  • Certbot 4.x compatibility: Debian 13 “Trixie” ships with Certbot 4.x — the latest major release — available via both APT and Snap.
  • Open and transparent: Run by the nonprofit ISRG with full public audit logs; zero vendor lock-in.

Whether you are hosting a personal blog, a production REST API, an e-commerce site, or a self-hosted application, Let’s Encrypt SSL delivers the same trust level as expensive paid certificates.

Prerequisites

Before diving in, confirm that the following conditions are in place:

  • A server running Debian 13 “Trixie” — fresh or existing installation.
  • A user account with sudo privileges or direct root access.
  • A registered domain name with its DNS A record already pointing to your server’s public IP — Certbot validates domain ownership, so DNS must be propagated first.
  • Ports 80 (HTTP) and 443 (HTTPS) open and accessible on your server and any upstream firewall.
  • Either Apache or Nginx web server installed (steps for both are covered below).
  • A working SSH or direct terminal connection.

If DNS has not propagated yet, run dig yourdomain.com to verify it resolves to the correct IP address before continuing. Proceeding without DNS in place is the single most common reason Certbot fails on first run.

Step 1: Update and Upgrade Your Debian 13 System

Start by refreshing the package index and applying any pending system upgrades. This prevents dependency conflicts and ensures you are working with the latest security patches.

sudo apt update -y && sudo apt upgrade -y

The -y flag auto-confirms all prompts to keep the process non-interactive. If a kernel upgrade was applied during this step, reboot before continuing:

sudo reboot

Once the server is back online, reconnect via SSH and proceed to the next step.

Step 2: Install Snapd on Debian 13

The EFF officially recommends installing Certbot via Snap — it guarantees you always receive the most current version regardless of Debian’s own package release cycle. First, install the Snapd daemon:

sudo apt install snapd -y

Enable the Snap socket service so it starts automatically:

sudo systemctl enable --now snapd.socket

Then create the symlink required for classic Snap confinement:

sudo ln -s /var/lib/snapd/snap /snap

Important: After installing Snapd on Debian 13, log out and back in — or reboot the system — to ensure Snap’s binary paths initialize correctly. Skipping this step causes the snap command to behave unexpectedly.

sudo reboot

Step 3: Install Certbot on Debian 13 Using Snap

With Snapd running, first remove any old OS-level Certbot package to prevent version conflicts:

sudo apt remove certbot -y

Now install Certbot via Snap in classic confinement mode. The --classic flag is mandatory because Certbot needs unrestricted access to your web server files and SSL configuration directories:

sudo snap install --classic certbot

A successful install outputs the following confirmation:

certbot 4.2.0 from Certbot Project (certbot-eff✓) installed

Unlike APT packages, Snap packages refresh themselves silently in the background. Your Certbot binary will always stay current without you having to run a manual apt upgrade.

Step 4: Create the Certbot Symbolic Link

For the certbot command to work from any directory in the terminal, link the Snap binary to /usr/bin/certbot:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Confirm the installation succeeded by checking the installed version:

certbot --version

You should see output similar to:

certbot 4.x.x

If you see “command not found,” verify that the Snap service is active with sudo systemctl status snapd and confirm the symlink was created in the correct path.

Step 5: Configure UFW Firewall to Allow HTTPS Traffic

Certbot’s HTTP-01 domain validation requires outbound access on port 80. Your live site also needs port 443 open for all HTTPS traffic. First, check UFW status:

sudo ufw status

If UFW is active, open both required ports:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Apache users can use a built-in UFW application profile as a shortcut:

sudo ufw allow "Apache Full"

Reload UFW and confirm the rules are applied:

sudo ufw reload && sudo ufw status

Entries for ports 80 and 443 should now appear as ALLOW. Without these ports open, Certbot fails the domain challenge and returns a “Connection refused” error — one of the most common installation pitfalls.

Step 6: Install Apache Web Server on Debian 13

Note: If you are using Nginx as your web server, skip directly to Step 9.

Install Apache2 using APT:

sudo apt install apache2 -y

Start Apache and enable it to launch automatically at boot:

sudo systemctl start apache2 && sudo systemctl enable apache2

Verify that Apache is actively running:

sudo systemctl status apache2

Look for Active: active (running) in the output. Navigating to http://your-server-ip in a browser should display the Apache2 default welcome page, confirming a successful installation.

Step 7: Create and Enable an Apache Virtual Host

Certbot requires a configured virtual host with a matching ServerName directive to issue a certificate correctly. Create the configuration file for your domain:

sudo nano /etc/apache2/sites-available/yourdomain.com.conf

Paste this minimal virtual host block and replace yourdomain.com with your actual domain:

<VirtualHost *:80>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save the file with Ctrl+X, then Y, then Enter. Enable the new site, disable the default placeholder, and restart Apache to apply the changes:

sudo a2ensite yourdomain.com.conf
sudo a2dissite 000-default.conf
sudo systemctl restart apache2

Confirm your domain loads over HTTP before proceeding to issue the SSL certificate.

Step 8: Obtain and Install a Free SSL Certificate for Apache

Install the Certbot Apache plugin, which allows Certbot to automatically detect and update your Apache configuration:

sudo apt install python3-certbot-apache -y

Run Certbot with the --apache flag and specify your domain name:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Certbot walks you through a brief interactive setup:

  1. Email address — used for renewal notices and emergency certificate recovery.
  2. Terms of Service — press A to agree.
  3. EFF newsletter — enter Y or N based on your preference.

Certbot then automatically modifies your Apache virtual host to enable HTTPS and redirects all HTTP traffic to HTTPS. A successful run produces this output:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Congratulations! You have successfully enabled HTTPS on https://yourdomain.com

Step 9: Install Nginx Web Server on Debian 13

Note: If you completed the Apache steps above, skip ahead to Step 12.

Install Nginx using APT:

sudo apt install nginx -y

Start Nginx and enable it to launch at boot:

sudo systemctl start nginx && sudo systemctl enable nginx

Verify that the Nginx service is running:

sudo systemctl status nginx

Look for Active: active (running) in the output. Visiting http://your-server-ip should display the Nginx default welcome page.

Step 10: Create an Nginx Server Block for Your Domain

Nginx requires a server block configuration that references your domain name before Certbot can validate and issue a certificate. Create the configuration file:

sudo nano /etc/nginx/conf.d/yourdomain.com.conf

Paste this minimal server block and replace yourdomain.com with your actual domain:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/html;
    index index.html index.htm;
}

Test the Nginx configuration for syntax errors before reloading:

sudo nginx -t

The expected output for a valid configuration is:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload Nginx to apply the new server block:

sudo systemctl reload nginx

Step 11: Obtain and Install a Free SSL Certificate for Nginx

Install the Certbot Nginx plugin to allow automated certificate deployment:

sudo apt install certbot python3-certbot-nginx -y

Run Certbot with the --nginx flag:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Complete the same interactive prompts — email address, Terms of Service agreement, and newsletter preference. Certbot automatically updates your Nginx server block, adds SSL certificate directives, and configures the HTTP-to-HTTPS redirect. Certificate files are stored at the following paths:

/etc/letsencrypt/live/yourdomain.com/fullchain.pem
/etc/letsencrypt/live/yourdomain.com/privkey.pem

Visit https://yourdomain.com in your browser. A padlock icon in the address bar confirms the Let’s Encrypt certificate is live and trusted.

Step 12: Verify Your SSL Certificate Is Working

List all active SSL certificates that Certbot manages on your server:

sudo certbot certificates

This command displays domain names, certificate file paths, and expiry dates for every certificate on the system. For a quick command-line check of the live TLS handshake, use OpenSSL:

openssl s_client -connect yourdomain.com:443 -brief

For a comprehensive security audit, paste your domain into SSL Labs at https://www.ssllabs.com/ssltest/. A properly configured Let’s Encrypt setup with an HTTPS redirect and HSTS header enabled should score an A or A+ rating — the industry benchmark for production-ready SSL/TLS.

Step 13: Set Up Automatic SSL Certificate Renewal

Missing a renewal deadline turns your site back to “Not Secure” overnight. Certbot prevents this by installing a systemd timer on Debian 13 automatically during setup. The timer fires twice daily but only renews certificates that are within 30 days of expiry — so there is no risk of disruption from over-renewing.

Check that the renewal timer is active:

sudo systemctl status certbot.timer

Look for Active: active (waiting) in the output. If the timer is not running, enable it manually:

sudo systemctl enable --now certbot.timer

Check whether a cron entry was also created alongside the timer:

sudo crontab -l

Either the systemd timer or the cron job alone is sufficient to keep your certificates renewed automatically without any manual involvement.

Step 14: Test the Certbot Certificate Renewal Process

Before trusting auto-renewal to run unattended in production, simulate the full renewal process using a dry run:

sudo certbot renew --dry-run

A clean, successful result produces the following output:

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem (success)

If the dry run fails, check the full Certbot log at /var/log/letsencrypt/letsencrypt.log. Common culprits include a stopped web server, a closed port 80, or a DNS misconfiguration. Fix the root cause, rerun the dry run, and confirm it passes cleanly before walking away.

Common Certbot Errors on Debian 13 and How to Fix Them

Even a clean Debian 13 setup can hit snags. Here are the most frequent issues and their actionable fixes:

  • “Connection refused” or port 80 blocked: Run sudo ufw status and confirm ports 80 and 443 are listed as ALLOW. Some cloud providers also block port 80 at the network edge — check your provider’s security group or VPC firewall rules separately.
  • “DNS resolution failed”: Your domain’s A record has not yet propagated to Let’s Encrypt’s resolvers. Use dig yourdomain.com to confirm the record resolves to the correct IP. Full propagation can take up to 48 hours.
  • “Too many certificates already issued”: Let’s Encrypt enforces a rate limit of five duplicate certificates per week per domain. Use the --staging flag to test without burning production quota: sudo certbot --apache --staging -d yourdomain.com
  • “certbot: command not found”: The symlink step was skipped or failed. Re-run the command: sudo ln -s /snap/bin/certbot /usr/bin/certbot
  • Certificate not auto-renewing: Run sudo systemctl status certbot.timer — if it shows as inactive or failed, re-enable it with sudo systemctl enable --now certbot.timer
  • Web server config broken after cert issuance: Test with sudo apachectl configtest for Apache or sudo nginx -t for Nginx, and correct any reported syntax errors before restarting the web server.

Congratulations! You have successfully installed Certbot. Thanks for using this tutorial to install the latest version of Certbot free SSL on Debian 12 “Trixie” system. For additional help or useful information, we recommend you check the official Certbot website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
9 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button