How to Upgrade Apache on Debian 13, 12 and 11

Debian’s default APT sources already provide Apache 2.4.67 for Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye), so most servers do not need a third-party repository for a current Apache point release. For most systems, upgrading Apache on Debian means refreshing package metadata and upgrading the existing apache2 package from the source you already trust.

The Sury Apache repository is still useful when you intentionally standardize on Ondrej Sury’s package stream, but it should be checked before installation. At the moment, Debian 13’s default Apache revision is newer than the Sury build, while Debian 12 and Debian 11 can select the Sury package after the repository is added.

Upgrade Apache on Debian

Start by checking which package source APT currently prefers. That one check prevents an unnecessary repository change and answers the common Debian version question before any package is modified.

Check Current Apache Versions on Debian

As of May 2026, default Debian sources expose these Apache candidates for currently supported Debian releases:

Debian Release	Default Apache Candidate	Source Note
Debian 13 (Trixie)	2.4.67-1~deb13u2	Available from the default Trixie and Trixie security sources
Debian 12 (Bookworm)	2.4.67-1~deb12u2	Available from the default Bookworm and Bookworm security sources
Debian 11 (Bullseye)	2.4.67-1~deb11u1	Delivered through bullseye-security; bullseye/main can still list the older 2.4.62 package

Check the package policy on your server:

apt-cache policy apache2

On Debian 11, seeing the newer package from bullseye-security and the older package from bullseye/main is normal:

apache2:
  Installed: (none)
  Candidate: 2.4.67-1~deb11u1
  Version table:
     2.4.67-1~deb11u1 500
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
     2.4.62-1~deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

Refresh APT Before You Upgrade Apache on Debian

Refresh package metadata before you upgrade Apache or compare repository candidates.

sudo apt update

These commands use sudo for package and service changes that need root privileges. If your account is not ready for sudo yet, add the account with add a user to sudoers on Debian before continuing.

If apt-cache policy apache2 shows Installed: (none), Apache is not installed yet. Use install Apache on Debian first, then return here if you still need to change the package source.

Upgrade Apache from Debian’s Default Repositories

This is the right path for most Debian servers because it keeps Apache on Debian’s package stream and receives future updates through the normal system upgrade workflow.

sudo apt install --only-upgrade apache2

The --only-upgrade flag updates Apache only when the package is already installed, so the command does not turn a missing Apache package into a fresh install.

Verify the active package source after the upgrade:

apt-cache policy apache2

apache2:
  Installed: 2.4.67-1~deb13u2
  Candidate: 2.4.67-1~deb13u2
  Version table:
 *** 2.4.67-1~deb13u2 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages
        100 /var/lib/dpkg/status

The example output is from Debian 13. Debian 12 uses the matching deb12u2 suffix, and Debian 11 currently uses deb11u1 from bullseye-security.

Decide Whether Sury Should Own Apache Updates

Use the Sury Apache repository only when you want that package stream to own Apache updates. Adding the repository does not always mean APT will choose it, because APT still compares package versions.

Source	Update Behavior	Best For	Trade-off
Debian repositories	Updates through Debian’s default APT sources	Most production servers that want Debian-maintained package revisions	Follows Debian’s packaging cadence rather than a third-party package stream
Sury Apache repository	APT-managed updates after adding the Sury source	Servers that intentionally standardize on Sury Apache packages	Adds third-party source, keyring, candidate checks, and cleanup ownership

If an older server already uses extrepo for sury_apache2, do not add the manual DEB822 source beside it. Keep one Sury source path, or manage the existing source with manage third-party APT repos on Debian with extrepo.

Add the Sury Apache Repository with DEB822

Install the small set of tools needed to download the Sury keyring package and use HTTPS sources:

sudo apt install ca-certificates curl

Download and install the Sury keyring package. This uses the same repository and signing material as Sury’s published setup script, but stores the Apache source as a DEB822 file so it is easier to audit and remove later.

curl -fsSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
sudo apt install /tmp/debsuryorg-archive-keyring.deb

Create the Apache source file with your Debian codename and architecture from the local system. Debian minimal systems expose the codename through /etc/os-release, so this block does not require lsb_release. For Debian 13, 12, and 11, the Sury Apache repository currently publishes amd64, arm64, and armhf package indexes.

. /etc/os-release
codename="${VERSION_CODENAME:-}"
arch="$(dpkg --print-architecture)"

case "${codename}:${arch}" in
    trixie:amd64|trixie:arm64|trixie:armhf|bookworm:amd64|bookworm:arm64|bookworm:armhf|bullseye:amd64|bullseye:arm64|bullseye:armhf)
        printf '%s\n' \
        'Types: deb' \
        'URIs: https://packages.sury.org/apache2/' \
        "Suites: ${codename}" \
        'Components: main' \
        "Architectures: ${arch}" \
        'Signed-By: /usr/share/keyrings/debsuryorg-archive-keyring.gpg' | sudo tee /etc/apt/sources.list.d/apache2-sury.sources > /dev/null
        ;;
    *)
        printf 'This Sury Apache source is validated here for Debian 13, 12, or 11 on amd64, arm64, or armhf. Stay on Debian packages instead.\n' >&2
        ;;
esac

If the block prints an unsupported-architecture message, stop the Sury path and stay on Debian’s packages. Otherwise, refresh APT after adding the source:

sudo apt update

Check the Sury Apache Candidate Before Installing

Check the candidate before you install anything from the added repository:

apt-cache policy apache2

On Debian 13, Debian currently remains the candidate because its revision is newer than the Sury build:

apache2:
  Installed: (none)
  Candidate: 2.4.67-1~deb13u2
  Version table:
     2.4.67-1~deb13u2 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages
     2.4.67-1~deb13u1+0~20260505.21+debian13~1.gbp627327 500
        500 https://packages.sury.org/apache2 trixie/main amd64 Packages

On Debian 12 and Debian 11, the current Sury package revision sorts higher than the default Debian package revision. If apt-cache policy shows packages.sury.org/apache2 as the candidate and you want that source to own Apache, install Apache normally:

sudo apt install apache2

If Debian remains the candidate, stay on Debian’s package stream. Forcing a lower third-party revision is not an upgrade.

Verify Apache on Debian

After the package update, verify the Apache version, service state, and configuration parser before you edit virtual hosts or modules.

Check the Apache Version on Debian

Check the installed Apache version first:

sudo apache2 -v

Server version: Apache/2.4.67 (Debian)

The build timestamp changes by package source and rebuild date, so the version line is the stable part to compare.

Check Apache Service Status on Debian

Confirm that the Apache service is running:

systemctl is-active apache2
systemctl is-enabled apache2

active
enabled

If Apache is inactive, check the status and logs before restarting so the error message points to the failed layer:

systemctl status apache2 --no-pager
sudo journalctl -xeu apache2

Test the Apache Configuration on Debian

Run Apache’s configuration test before you reload the service or change virtual host files:

sudo apachectl configtest

Syntax OK

A fresh install can also print the AH00558 fully qualified domain name warning before Syntax OK. That warning is common on new Debian systems and does not mean the configuration failed.

Configure Firewall Access for Apache on Debian

Only change UFW rules if UFW already manages this server’s firewall or you are prepared to configure it completely. Firewall activation over SSH needs a tested access rule first, so use the separate install UFW on Debian walkthrough for initial firewall setup.

Check Whether UFW Is Active on Debian

Check the firewall state before adding Apache rules:

sudo ufw status verbose

Continue only when the output begins with Status: active. If the status is inactive, do not enable UFW from this Apache upgrade flow unless SSH and existing service access are already allowed.

Check Apache UFW Profiles on Debian

Debian 13’s Apache package registers UFW application profiles, while current Debian 12 and Debian 11 packages do not. Check for profiles before you decide which command style to use:

sudo ufw app list | grep Apache

  Apache
  Apache Full
  Apache Secure

Allow Apache Traffic Through UFW on Debian

Direct port rules work across Debian releases. Allow HTTP traffic first:

sudo ufw allow 80/tcp

Allow HTTPS traffic when the site already has TLS or will use a certificate workflow that needs port 443 open:

sudo ufw allow 443/tcp

If sudo ufw app list | grep Apache printed the Apache profiles, you can use the combined profile instead of separate port rules:

sudo ufw allow 'Apache Full'

Check the active rules afterward:

sudo ufw status numbered

Confirm that the active rules include the port or Apache profile you allowed, then return to the Apache upgrade checks.

Manage Apache Updates on Debian

Apache updates continue through APT after you choose a package source. Use the normal package refresh and upgrade command for routine Apache updates:

sudo apt update
sudo apt install --only-upgrade apache2

If apt-cache policy apache2 points to http://deb.debian.org/debian or security.debian.org, the update comes from Debian. If it points to https://packages.sury.org/apache2, the update comes from Sury.

Troubleshoot Apache on Debian

Most post-upgrade problems on Debian come from duplicate Sury source files, a port conflict on port 80, or a module that is no longer enabled after a package-source change.

Fix Sury Source or Signed-By Conflicts on Debian

A Signed-By conflict appears when two APT source files point at the same Sury Apache repository with different key paths. The error usually appears during a package metadata refresh:

sudo apt update

Error: Conflicting values set for option Signed-By regarding source https://packages.sury.org/apache2/ trixie: /usr/share/keyrings/debsuryorg-archive-keyring.gpg != /var/lib/extrepo/keys/sury_apache2.asc
Error: The list of sources could not be read.

Find the duplicate Apache source entries first:

grep -R "packages.sury.org/apache2" /etc/apt/sources.list /etc/apt/sources.list.d/ 2>/dev/null

If you want to keep the manual DEB822 source, remove the extrepo-created source and key:

sudo rm -f /etc/apt/sources.list.d/extrepo_sury_apache2.sources
sudo rm -f /var/lib/extrepo/keys/sury_apache2.asc
sudo apt update

If you want to keep the extrepo source instead, remove the manual source file. Purge the Sury keyring package only when no other Sury repository on the server uses it.

sudo rm -f /etc/apt/sources.list.d/apache2-sury.sources
sudo apt purge debsuryorg-archive-keyring
sudo apt update

sudo extrepo disable sury_apache2 only marks the extrepo source disabled. It does not remove the source file or key from disk, so remove the duplicate files when APT reports a conflict.

Fix Apache Startup Failures on Debian

Port conflicts are a common startup failure on small Debian servers that already run Nginx or another web service.

sudo journalctl -xeu apache2

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

Install lsof if the command is not already available:

sudo apt install lsof

Check which process already owns port 80:

sudo lsof -i :80

Use the COMMAND and NAME columns to identify the listener, then stop or reconfigure that service. If the conflicting service is Nginx, the repair looks like this:

sudo systemctl stop nginx
sudo systemctl start apache2

Re-run systemctl is-active apache2 or systemctl status apache2 --no-pager until Apache returns to an active state.

Re-enable Missing Apache Modules on Debian

If a virtual host depends on mod_rewrite or another optional module, confirm it is still loaded after the package switch:

sudo apache2ctl -M | grep rewrite_module

If the command prints nothing, enable the module:

sudo a2enmod rewrite

Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2

Restart Apache to load the module:

sudo systemctl restart apache2

Verify that the module is active after the restart:

sudo apache2ctl -M | grep rewrite_module

 rewrite_module (shared)

Remove the Sury Repository and Revert Apache on Debian

If you want to leave the Sury package stream, remove Apache packages first, clean up whichever Sury source method the server used, then reinstall Apache from Debian’s repositories.

Remove Apache Packages on Debian

Purging Apache removes the package and its /etc/apache2 configuration, but it does not delete site content you created under /var/www.

Review APT’s removal list before confirming this step. On Debian desktop systems, Apache removal can also affect dependent packages such as gnome-user-share, libapache2-mod-dnssd, or desktop meta packages that depend on them.

sudo apt-get -s remove --purge apache2 apache2-bin apache2-data apache2-utils

If the simulated removal list matches what you expect, stop Apache and purge the packages:

sudo systemctl stop apache2
sudo apt remove --purge apache2 apache2-bin apache2-data apache2-utils

Preview autoremovable packages before you remove anything else:

apt-get -s autoremove

Remove the Manual Sury Source on Debian

If you used the manual DEB822 source and Apache was the only Sury repository on the server, remove the source file and purge the Sury keyring package:

sudo rm -f /etc/apt/sources.list.d/apache2-sury.sources
sudo apt purge debsuryorg-archive-keyring

If another Sury repository remains on the system, remove only the Apache source file and keep the shared keyring package.

Remove the extrepo Sury Source on Debian

If the server used extrepo, disable the entry and remove the leftover source file and key:

sudo extrepo disable sury_apache2
sudo rm -f /etc/apt/sources.list.d/extrepo_sury_apache2.sources
sudo rm -f /var/lib/extrepo/keys/sury_apache2.asc

Reinstall Apache from Debian’s Repositories

Refresh APT and confirm that only Debian’s package remains before you reinstall Apache:

sudo apt update
apt-cache policy apache2

apache2:
  Installed: (none)
  Candidate: 2.4.67-1~deb13u2
  Version table:
     2.4.67-1~deb13u2 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages

Reinstall Apache from Debian’s repositories:

sudo apt install apache2

Verify that Apache is back on Debian’s package stream:

apt-cache policy apache2

apache2:
  Installed: 2.4.67-1~deb13u2
  Candidate: 2.4.67-1~deb13u2
  Version table:
 *** 2.4.67-1~deb13u2 500
        500 http://deb.debian.org/debian trixie/main amd64 Packages
        500 http://security.debian.org/debian-security trixie-security/main amd64 Packages
        100 /var/lib/dpkg/status

Conclusion

Apache is current on Debian with its package source verified, whether the server stays on Debian’s repositories or intentionally moves to Sury. A natural next step is to secure Apache with Let’s Encrypt on Debian, add request filtering with ModSecurity with Apache on Debian, or deploy a site with WordPress with Apache on Debian.