Setting Up TLS/SSL on a Debian VPS

I am making this page because this process was fucking insane and took me like 2 weeks to figure out.
I wanted to run a VPS to host a website and thought it would be easy. its not lol.

SO... assuming you have just set up a new Debian VPS with apache2
and have figured out your DNS to point a domain to your server....

Turn apache2 off while you do this stuff.

install the following:
sudo apt install -y zip unzip curl wget git socat

Now install YOU MUST MODIFY THIS to include your account email!!!
sudo mkdir /etc/letsencrypt
git clone
sudo ./ --install --home /etc/letsencrypt --accountemail
cd ~
source ~/.bashrc

Now you can get certificates RSA and ECDSA REPLACE EXAMPLE.COM WITH YOUR DOMAIN:
sudo /etc/letsencrypt/ --issue --standalone -d --ocsp-must-staple --keylength 2048
sudo /etc/letsencrypt/ --issue --standalone -d --ocsp-must-staple --keylength ec-256

after you have your keys, make directories to put them in:
sudo mkdir -p /etc/letsencrypt/
sudo mkdir -p /etc/letsencrypt/example.com_ecc

and then install and copy them
again in these commands replace EXAMPLE.COM with your domain!! :
sudo /etc/letsencrypt/ --install-cert -d --cert-file /etc/letsencrypt/ --key-file /etc/letsencrypt/ --fullchain-file /etc/letsencrypt/ 
sudo /etc/letsencrypt/ --install-cert -d --ecc --cert-file /etc/letsencrypt/example.com_ecc/cert.pem --key-file /etc/letsencrypt/example.com_ecc/private.key --fullchain-file /etc/letsencrypt/example.com_ecc/fullchain.pem

Now, enable ssl in apache and restart it
sudo a2enmod ssl
sudo systemctl restart apache2

use nano to make a config file:
sudo nano /etc/apache2/sites-available/

with nano open, copy and paste this (do not use Ctrl+V or you will have a bad time :)
<IfModule mod_ssl.c>
  <VirtualHost *:443>

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off 

    # RSA
    SSLCertificateFile "/etc/letsencrypt/"
    SSLCertificateKeyFile "/etc/letsencrypt/"
    # ECC
    SSLCertificateFile "/etc/letsencrypt/example.com_ecc/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/example.com_ecc/private.key"

SSLStaplingCache shmcb:/var/run/ocsp(128000)

save this and exit (in nano Ctrl+X, Y, Enter ;)

NOTE:The SSL stapling settings solves the problem in Firefox where you get the error:
this caused me so much fucking headache.
now you can activate your new config and then check it:
sudo a2ensite
sudo apachectl configtest

Configtest should return Syntax OK!

Now just reload apache:
sudo systemctl reload apache2
And you should be good to go!

Thanks for coming to my ted talk! Return to