How to Install Drupal 8 with LetsEncrypt SSL on Debian 9

Drupal8 Debian9

Drupal is an open source content management software written in PHP and distributed under GPL.  It has great standard features, like easy content authoring, reliable performance, and excellent security. The flexibility and modularity are one of its core principles which set it apart from rest. It has several tools which help you to build a versatile and structured content that dynamic web experiences need.

Drupal 8 is meant to be the biggest update in Drupal's history. Creating content is much easier in that. Every built-in theme is responsively designed. It's available in 100 languages, and its integration tools make it a great hub for complex ecosystems.

In this article, I'll demonstrate how to install this Drupal 8 with Letsencrypt SSL  on our latest Debian 9 servers. Let's walk through the installation steps one by one.


  • A fully functional Debian server
  • LAMP  (Apache, MariaDB, and PHP) Setup

1) Get Started

It's always recommended to update your server packages to the stable ones prior to any installation. We can do this by just running the update command as below:

#apt-get update -y

Furthermore, we can add some commonly used tools which we will assist  through our installation.

#apt-get install wget git unzip nano -y

2) Install Apache, MariaDB, and PHP

Before we start with the Drupal installation, you will require a running webserver and a database server. In this article we will work with Apache2, PHP7 and MariaDB, you can install them easily with the help of our package manager tool called apt.

First, start with installing Apache web server with the following command:

# apt-get install apache2 -y

After the installation, you need to start Apache service and enable it to start automatically on the next system boot. To do so, run the following command:

# systemctl start apache2
# systemctl enable apache2
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apache2
root@debian:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2017-07-19 13:12:00 UTC; 36s ago
Main PID: 12639 (apache2)
CGroup: /system.slice/apache2.service
├─12639 /usr/sbin/apache2 -k start
├─12641 /usr/sbin/apache2 -k start
└─12642 /usr/sbin/apache2 -k start

Secondly, we need to install  PHP with required modules by running the following command:

# apt-get install php7.0 libapache2-mod-php7.0 php7.0-cli php7.0-mcrypt php7.0-intl php7.0-mysql php7.0-curl php7.0-gd php7.0-soap php7.0-xml php7.0-zip -y

Next, we  need to make modify some PHP variables in our configuration file /etc/php/7.0/cli/php.ini  depending on our Server resources as below:

memory_limit = 512M
date.timezone = UTC
upload_max_filesize = 10M
post_max_size = 10M

After making these changes don't forget to restart the Apache server.

Now we need to install our Database server. You can install it by running the following command:

# apt-get install mariadb-server -y

After the installation, you need to start MariaDB service and enable it to start automatically on the next system boot. To do so, run the following command:

# systemctl start mysql
# systemctl enable mysql
Synchronizing state of mysql.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable mysql
root@debian:~# systemctl status mysql
● mariadb.service - MariaDB database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2017-07-19 13:26:43 UTC; 43s ago
Main PID: 26526 (mysqld)
Status: "Taking your SQL requests now..."
CGroup: /system.slice/mariadb.service
└─26526 /usr/sbin/mysqld

Next, you will need to secure your database server. You can run the following command to secure MariaDB database and set root password:

# mysql_secure_installation


In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:docker123
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

3) Create Drupal Database

We’ll need to create a database and user for our Drupal installation, to do so, run the following command:

.# mysql -u root -p
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.23-MariaDB-9+deb9u1 Debian 9.0

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE drupal_db;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES on drupal_db.* to 'drupaluser'@'localhost' identified by 'drupal123';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit

We've connected to the MySQL shell and created a database named "drupal_db" with a user "drupaluser" for the Drupal installation.

4)  Download and Install Drupal 8.3.5

You can download and install Drupal from its official Website. I've downloaded the latest available Drupal Software from their Website.

# wget
 Afterward, extract the downloaded zip file and move the extracted Drupal directory to the Drupal root directory (/var/www/html/drupal/) which we have meant for the Drupal installation.

# unzip
# mv drupal-8.3.5 /var/www/html/drupal
# chmod -R 777 /var/www/html/drupal

5) Create SSL for your Drupal domain using Letsencrypt

I'm planning to setup my Drupal on the domain Hence, I need to setup SSL for this domain to secure my Drupal installation. Two of these packages needs to be installed prior to the Let's Encrypt installation. Bc is an “arbitrary precision language calculator. It is used for the auto-renewal script in the Let's Encrypt software. You can install these packages with this commands below:

#apt-get install git bc -y

Once it is done, we can easily download let's encrypt by cloning the repository from GitHub.

# git clone

Now, we can move to our letsencrypt installation folder and run this command to issue our SSL certificate.

# ./letsencrypt-auto certonly --standalone --email --agree-tos -d
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: yes
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification...
Cleaning up challenges

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ Your cert will
expire on 2017-10-18. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:
Donating to EFF:

6) Creating the Virtual host for your Drupal domain

First of all, you will need to create an Apache virtual host file for drupal. To do so, create a new drupal.conf file inside /etc/apache2/sites-available/ directory copying the default Vhost format from there:

# cp -rp 000-default.conf drupal.conf

And after that, we can modify the Virtual host as per our domain name and document root.

:/etc/apache2/sites-available# cat drupal.conf 
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/drupal/

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

Once it's done, we can enable the virtual host and enable the re-write module with the following command:

# a2ensite drupal
Enabling site drupal.
To activate the new configuration, you need to run:
systemctl reload apache2

# a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
systemctl restart apache2
# systemctl restart apache2

We just need to make sure to restart the Apache service after these changes.

7) Securing the Drupal installation with Letsencrypt SSL

Inorder to secure our Drupal installation, we need to enable the SSL virtual host for our domain. You can do this by copying the default SSL virtual host in the /etc/apache2/sites-available/ folder to drupal-ssl.conf and modifying it with our Letsencrypt SSL details.

# cp -rp default-ssl.conf drupal-ssl.conf

And modify these sections to enable SSL for our Drupal domain.

# cat drupal-ssl.conf 
<IfModule mod_ssl.c>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/html/drupal/

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars


After modifying the Virtual host, we need to enable SSL and restart Apache.

# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2

#systemctl restart apache2

8) Access Drupal Web Interface

We've installed and configured Drupal domain now. Next, we need to complete the Drupal installation accessing via the web browser. You can access your Drupal interface on the URL >> You should see the first page to choose the preferred language.

I choose the English language and click on the Save and Continue button, This will take you to the next page:

Select your preferred Installation Profile and click on the Save and Continue button, then verify all the requirements and click on the Save and Continue button. You should see the following image:

Now you can add the database details configured for your Drupal domain and Click Save and Continue to proceed with the installation.

Next, you can configure your Drupal domain page, provide your site name, admin username and password then Click on the Save and Continue button to start installing Drupal. Once Drupal is installed, you should see the Drupal dashboard in the following image:

That's all! you have installed Drupal Successfully on your Debian 9 server. Now you can go ahead and configure Drupal as per your requirements.

For further documentation, you may visit the official docs that are provided by the Drupal project at. I hope this article is useful for you. Please post your valuable suggestions and comments on this.

Leave a Comment