Home | Miscellaneous | Raspberry Pi | Add HTTPS
Sonora Computer Repair Logo
Sonora Computer Repair
A subsidiary of Charles Varvayanis
Since 1990
(209) 586-3782
charles@varvayanis.com
Sonora Computer Repair Logo

Add HTTPS to Raspberry Pi Apache Web Server

Step-by-step instructions for adding HTTPS to a Raspberry Pi Apache Web Server using Certbot and Let's Encrypt Certificates.

These procedures apply to Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit) running an Apache Web Server with a configured and enabled Web Site(s).


General Notes


1. General:  The procedures below are optimized for adding HTTPS to an Apache Web Server hosting one or more configured and enabled websites on a Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit).  The website html or other code does not need to be present during HTTPS setup.  Certbot, configures existing, configured and enabled websites for HTTPS access, downloads and installs certificates from Let's Encrypt and sets up automatic certificate renewal, fully automating the installation and ongoing certificate renewal processes.

2. Prerequisites:  The Web Server needs to be publically accessible from the Internet and the Internet connection the Raspberry Pi is connected to must have a Public IP address.  Note:  Certain ISPs such as Starlink do not and cannot supply Public IP Addresses on their standard Internet circuits, but can on their business Internet circuits.  If a router is between the Internet and Raspberry Pi, it must be configured to pass HTTP and HTTPS traffic from the public IP Address to the Raspberry Pi's local IP Address.  A Domain Name must be owned by the end user and a Public DNS Server must be configured to have an "A" record or "CNAME" record pointing to the Public IP Address of the Raspberry Pi Web Server.  Domain Names and Public DNS services can be purchased from services such as GoDaddy and alike.  If the Public IP address is not Static, but is Dynamic, a DDNS service such as noip.com or alike can be employed and a CNAME record set up in the Public DNS Server using the hostname setup in the DDNS service.  Alternatively, the hostname name setup in a DDNS server can be used directly as the URL for the website, forgoing the need for a Domain Name and Public DNS Server.

3. Internet access during setup:  Many of the steps below assume and require the target Raspberry Pi is connected to a network with access to the Internet.



Notice about updates, upgrades and installations failing due to repository or network congestion or outages


Occasionally updates, upgrades and installations fail due to repository or network congestion or outages.  Sometimes there is an appropriate message saying as such, sometimes a missing file is reported, and sometimes there is just a failure message without an explanation.  When this occurs, simply run the command again.  If that does not solve the issues immediately, try again later.



Raspberry Pi OS Documentation

https://www.raspberrypi.com/documentation/computers/os.html



Connect to the target Raspberry Pi


Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect

  - or -

Via a Display, Keyboard and Mouse, then open a Terminal window.


  - or -

Via SSH


Determine the target Raspberry Pi IP Address:


Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect
sudo hostname -I
  - or -

Connect directly to the target Raspberry Pi via a Display, Keyboard and Mouse, then open a Terminal window.

sudo hostname -I
  - or -

Use an IP Scanner tool such as Advanced IP Scanner on a PC or alike to locate the DHCP IP Address assigned to the Raspberry Pi.

https://www.advanced-ip-scanner.com
  - or -

Login to your router and examine the DHCP assignments, sometimes labeled "Connected Devices" or similar.



Use SSH via a tool such as PuTTY to connect to the Raspberry Pi.

https://putty.software/
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
https://www.putty.org
Connect using the IP address determined above or URL of the target Raspberry Pi.
Note:  The first time a connection is made, a security warning may be displayed | Yes



Setup HTTPS using Let's Encrypt Certificates and Certbot


Notes:


Let's Encrypt home page:  https://letsencrypt.org

certbot instructions:  https://certbot.eff.org/instructions?ws=apache&os=snap

Installing snap on Raspberry Pi OS:  https://snapcraft.io/docs/installing-snap-on-raspbian

snap manual page:  https://manpages.debian.org/trixie/snapd/snap.8.en.html

Port used by HTTPS:  433, Type TCP


Update Raspberry Pi OS and Components


Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y


Install the snap Package Manager


Download and install snapd

sudo apt install snapd -y

Reboot the Pi to get snap working

sudo reboot

Download and install the core snap in order to get the latest snapd

sudo snap install core
Note:  Some snaps require new snapd features and will show an error such as "snap 'lxd' assumes unsupported features" during install.  You can solve this issue by making sure the core snap is installed (sudo snap install core) and it’s the latest version (sudo snap refresh core).


Install Certbot - Certificate Fetcher for Let’s Encrypt


Remove certbot-auto and any Certbot OS packages from the apt package manager

sudo apt-get remove certbot

Install Certbot

sudo snap install --classic certbot

Prepare the Certbot command

sudo ln -s /snap/bin/certbot /usr/bin/certbot
Note:  Some snaps require new snapd features and will show an error such as "snap 'lxd' assumes unsupported features" during install.  You can solve this issue by making sure the core snap is installed (sudo snap install core) and it’s the latest version (sudo snap refresh core).


Configure Certbot, get certificats from Let’s Encrypt and automatically configure apache for HTTPS

Note:  For this command to succeed, the Domain Name must already be setup in a public DNS server with either A or CNAME record pointing to the public IP Address of the target Raspberry Pi Web Server.  Alternatively, a host name setup in a DDNS server will work as well  (See "General Notes" 2. near the top of this document).

Get and install certificates, edit apache configuration files automatically, and turn on HTTPS access

sudo certbot --apache

Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): | <YourEMailAddress> - Example:  example@gmail.com

Terms of Service... Do you agree? | y

Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot | y

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: exampledomain1.com
2: www.exampledomain1.com
3: exampledomain2.com
4: www.exampledomain2.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): | [Enter]


Test Certbot


Test automatic renewal

sudo certbot renew --dry-run



Remove packages that were automatically installed and are no longer required

Occasionally excess update, upgrade and installation packages install automatically, but are no longer required.  These can be removed automatically.

Automatically detect and remove packages no longer required

sudo apt autoremove -y



Sonora Computer Repair
 Sonora, CA  95370
e-mail:  charles@varvayanis.com
Phone:  (209) 586-3782
Fax:  (209) 586-3761
Business Card (PDF 153 KB) PDF
www.sonoracomputer.com
www.sonoracomputer.com
© 2026 Charles Varvayanis.  All rights reserved.