Debian is already shipping Apache 2.4.66 across Debian 13, 12, and 11 through the default APT sources, so most servers do not need a third-party repository just to stay current. The reason to upgrade Apache on Debian with the Sury package stream is to move off Debian’s package channel when you want Ondrej Sury’s Apache builds, or when you already standardize on Sury packages elsewhere on the same host.
The comparison below shows when it makes more sense to stay on Debian’s package stream and when it is worth switching to a Sury-based path. From there, you can verify the active package source and roll back cleanly if you change your mind.
Upgrade Apache on Debian
As of March 2026, Debian 13, 12, and 11 all ship Apache 2.4.66 through the default APT sources. Today the main difference is package origin and update cadence, not the Apache 2.4.x number itself, so the better method depends on whether you want to stay on Debian’s package stream or move to the Sury builds.
| Method | Channel | Version | Updates | Best For |
|---|---|---|---|---|
| Debian repositories | Debian package index | Apache 2.4.66 | Debian package updates | Most servers that want the distro-supported package stream |
| extrepo | sury_apache2 | Apache 2.4.66 Sury build | APT after extrepo setup | Users who want the Sury channel with less manual repo work |
| Manual DEB822 source | Sury Apache repo | Apache 2.4.66 Sury build | APT after manual setup | Users who want direct control over the .sources file |
- Stay on Debian’s packages if Apache 2.4.66 already covers your workload and you only want the distro-managed update path.
- Use
extrepoif you want the Sury build stream with Debian-managed repository definitions. - Use the manual DEB822 method if you want the same Sury packages without installing
extrepo.
Use either the
extrepomethod or the manual DEB822 method, not both. APT treats them as duplicate sources with differentSigned-Bypaths and fails until one source is removed.
Refresh APT Before You Upgrade Apache on Debian
Refresh package metadata before you change Apache’s package source or update the installed package.
sudo apt updateThis guide uses
sudofor commands that need root privileges. If your account is not in the sudoers file yet, follow the guide to add a user to sudoers on Debian first.
If apt-cache policy apache2 shows Installed: (none), Apache is not on the system yet. Use install Apache on Debian first, then come back here if you still want to change the package source.
Upgrade Apache from Debian’s Default Repositories
This keeps Apache on Debian’s package stream and is the right choice when the distro package already meets your needs.
sudo apt install --only-upgrade apache2 -yThe --only-upgrade flag updates Apache without turning this into a fresh install on systems where the package is missing.
Verify that Apache is still coming from Debian’s repositories:
apt-cache policy apache2apache2:
Installed: 2.4.66-1~deb13u1
Candidate: 2.4.66-1~deb13u1
Version table:
*** 2.4.66-1~deb13u1 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
100 /var/lib/dpkg/status
The example above uses Debian 13. Debian 12 and Debian 11 currently show the same Apache 2.4.66 series, but the package suffix changes to the matching release.
Upgrade Apache with extrepo on Debian
extrepo is the cleaner way to use the Sury Apache repository on Debian because it ships a maintained repository definition and keeps the source file under Debian’s normal extrepo layout.
sudo apt install extrepo -y
extrepo search apacheFound sury_apache2: --- source: Suites: trixie URIs: https://packages.sury.org/apache2
Enable the repository definition next:
sudo extrepo enable sury_apache2extrepo writes /etc/apt/sources.list.d/extrepo_sury_apache2.sources and stores the signing key under /var/lib/extrepo/keys/.
sudo apt updateGet:4 https://packages.sury.org/apache2 trixie InRelease [6,057 B] Get:5 https://packages.sury.org/apache2 trixie/main amd64 Packages [9,560 B] Reading package lists... Building dependency tree... Reading state information... All packages are up to date.
If you want to see what APT now exposes from the enabled repository before installing anything, search for the Apache packages next:
apt search apache2Sorting... Full Text Search... apache2/trixie 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7 amd64 Apache HTTP Server apache2-bin/trixie 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7 amd64 Apache HTTP Server (modules and other binary files)
Upgrade Apache to the Sury build:
sudo apt install apache2 -yIf Apache is already installed from Debian, APT upgrades it in place to the Sury package.
Verify that APT now prefers packages.sury.org/apache2:
apt-cache policy apache2apache2:
Installed: 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7
Candidate: 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7
Version table:
*** 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7 500
500 https://packages.sury.org/apache2 trixie/main amd64 Packages
100 /var/lib/dpkg/status
Debian 12 and Debian 11 use the same Sury repository path, but the package suffix changes to the matching release, for example
debian12ordebian11.
Upgrade Apache with a Manual DEB822 Source on Debian
Use the manual path if you want the same Sury packages without installing extrepo. Minimal Debian images also need lsb-release here because lsb_release is not present by default.
sudo apt install ca-certificates curl lsb-release -yca-certificates handles HTTPS trust, curl downloads the keyring package, and lsb-release gives the DEB822 file the right Debian codename automatically.
Download and install the Sury keyring package:
curl -fsSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
sudo dpkg -i /tmp/debsuryorg-archive-keyring.debThe package stores the signing key at /usr/share/keyrings/debsuryorg-archive-keyring.gpg, which keeps repository trust separate from your personal GnuPG keyring.
Create the DEB822 source file. The command uses sudo tee because a plain > redirect does not inherit sudo when you write into /etc/apt/sources.list.d/.
cat <<EOF | sudo tee /etc/apt/sources.list.d/apache2-sury.sources
Types: deb
URIs: https://packages.sury.org/apache2/
Suites: $(lsb_release -cs)
Components: main
Architectures: $(dpkg --print-architecture)
Signed-By: /usr/share/keyrings/debsuryorg-archive-keyring.gpg
EOFWhen you paste the block, lsb_release -cs inserts your Debian codename and dpkg --print-architecture inserts your CPU architecture automatically.
sudo apt updateGet:4 https://packages.sury.org/apache2 trixie InRelease [6,057 B] Get:5 https://packages.sury.org/apache2 trixie/main amd64 Packages [9,560 B] Reading package lists... Building dependency tree... Reading state information... All packages are up to date.
Upgrade Apache on the Sury package stream:
sudo apt install apache2 -yThe package source should match the extrepo method because both paths use the same repository:
apt-cache policy apache2apache2:
Installed: 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7
Candidate: 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7
Version table:
*** 2.4.66-1+0~20251205.20+debian13~1.gbp6076c7 500
500 https://packages.sury.org/apache2 trixie/main amd64 Packages
100 /var/lib/dpkg/status
Verify Apache on Debian
After the package update, verify the Apache version, service state, and configuration before you touch virtual hosts or modules.
Check the Apache Version on Debian
Check the installed Apache version first:
sudo apache2 -vServer version: Apache/2.4.66 (Debian)
The build timestamp changes with the package source, so the version line is the stable part to compare across Debian and Sury packages.
Check Apache Service Status on Debian
Confirm that Apache is running after the upgrade:
systemctl status apache2 --no-pager● apache2.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-03-10 12:49:23 AWST; 1s ago
Docs: https://httpd.apache.org/docs/2.4/
Main PID: 5185 (apache2)
If the service is not active, restart it with sudo systemctl restart apache2 and then re-run the status command.
Test the Apache Configuration on Debian
Run Apache’s configuration test before you start editing virtual hosts or modules:
sudo apachectl configtestSyntax OK
A fresh install can also print the AH00558 fully qualified domain name warning before Syntax OK. That warning is common on new Debian systems and does not mean the configuration failed.
Configure UFW for Apache on Debian
If UFW is enabled on the server, add the Apache profile after the package update so HTTP or HTTPS traffic is not blocked.
Install and Enable UFW for Apache on Debian
If you are connected over SSH, allow SSH before you enable UFW so you do not lock yourself out.
Install UFW if it is not already present, then allow SSH and enable the firewall:
sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw --force enableFirewall is active and enabled on system startup
Check Apache UFW Profiles on Debian
Apache registers UFW application profiles during installation. Verify the profile names before you open the ports:
sudo ufw app list | grep ApacheApache Apache Full Apache Secure
Allow Apache Traffic Through UFW on Debian
Allow the profile that matches the server. Use Apache for HTTP-only sites:
sudo ufw allow ApacheIf HTTPS is already configured, allow the combined profile instead:
sudo ufw allow 'Apache Full'Check the active rules afterward:
sudo ufw status numberedStatus: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Apache ALLOW IN Anywhere
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] Apache (v6) ALLOW IN Anywhere (v6)
For a broader firewall walkthrough, see install UFW on Debian.
Manage Apache Updates on Debian
Apache updates continue through APT after you pick a package source. The same command works on Debian’s repositories and on the Sury package stream.
sudo apt update
sudo apt install --only-upgrade apache2 -yIf apt-cache policy apache2 points to http://deb.debian.org/debian, the update comes from Debian. If it points to https://packages.sury.org/apache2, the update comes from Sury.
Troubleshoot Apache on Debian
Most post-upgrade problems on Debian come from duplicate Sury source files, a port conflict on port 80, or a module that is no longer enabled on the new package set.
Fix the Sury Apache Signed-By Conflict on Debian
This error appears when the extrepo and manual DEB822 methods are both configured at the same time:
Error: Conflicting values set for option Signed-By regarding source https://packages.sury.org/apache2/ trixie: /usr/share/keyrings/debsuryorg-archive-keyring.gpg != /var/lib/extrepo/keys/sury_apache2.asc Error: The list of sources could not be read.
If you want to keep extrepo, remove the manual source file and keyring package:
sudo rm -f /etc/apt/sources.list.d/apache2-sury.sources
sudo apt remove -y debsuryorg-archive-keyring
sudo apt updateIf you want to keep the manual DEB822 source instead, remove the extrepo file and key directly:
sudo rm -f /etc/apt/sources.list.d/extrepo_sury_apache2.sources
sudo rm -f /var/lib/extrepo/keys/sury_apache2.asc
sudo apt updatesudo extrepo disable sury_apache2 only marks the source file disabled. It does not remove the source file or the key from disk, so use the cleanup commands above when you switch methods.
Fix Apache Startup Failures on Debian
Port conflicts are the most common startup failure on small Debian servers that already run Nginx or another web service.
sudo journalctl -xeu apache2(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
Check which process already owns port 80:
sudo apt install lsof -y
sudo lsof -i :80COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 1234 root 6u IPv4 12345 0t0 TCP *:http (LISTEN)
Stop the conflicting service, then start Apache again:
sudo systemctl stop nginx
sudo systemctl start apache2Re-run systemctl status apache2 --no-pager until Apache returns to active (running).
Re-enable Missing Apache Modules on Debian
If a vhost depends on mod_rewrite or another optional module, confirm it is still loaded after the package switch:
sudo apache2ctl -M | grep rewrite_moduleIf the command prints nothing, enable the module and restart Apache:
sudo a2enmod rewrite
sudo systemctl restart apache2Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2
Verify that the module is active after the restart:
sudo apache2ctl -M | grep rewrite_modulerewrite_module (shared)
Remove the Sury Repository and Revert Apache on Debian
If you want to leave the Sury package stream, remove the Apache packages first, clean up whichever Sury source method you used, then reinstall Debian’s Apache package.
Remove Apache Packages on Debian
Purging Apache removes the package and its /etc/apache2 configuration, but it does not delete content you created under /var/www.
Review APT’s removal list before you confirm this step. On Debian desktop systems, Apache removal can also pull out dependent packages such as
gnome-user-share,libapache2-mod-dnssd, or desktop meta packages that depend on them.
sudo systemctl stop apache2sudo apt remove --purge -y apache2 apache2-bin apache2-data apache2-utils
sudo apt autoremove -yRemove the Manual Sury Source on Debian
If you used the manual DEB822 source, remove that file and the Sury keyring package:
sudo rm -f /etc/apt/sources.list.d/apache2-sury.sources
sudo apt remove -y debsuryorg-archive-keyringRemove the extrepo Sury Source on Debian
If you used extrepo, disable the repo and then remove the leftover source file and key.
sudo extrepo disable sury_apache2
sudo rm -f /etc/apt/sources.list.d/extrepo_sury_apache2.sources
sudo rm -f /var/lib/extrepo/keys/sury_apache2.ascReinstall Apache from Debian’s Repositories
Refresh APT and confirm that only Debian’s package remains before you reinstall Apache:
sudo apt update
apt-cache policy apache2apache2:
Installed: (none)
Candidate: 2.4.66-1~deb13u1
Version table:
2.4.66-1~deb13u1 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
Reinstall Apache from Debian’s repositories:
sudo apt install -y apache2Verify that Apache is back on Debian’s package stream:
apt-cache policy apache2apache2:
Installed: 2.4.66-1~deb13u1
Candidate: 2.4.66-1~deb13u1
Version table:
*** 2.4.66-1~deb13u1 500
500 http://deb.debian.org/debian trixie/main amd64 Packages
100 /var/lib/dpkg/status
Upgrade Apache on Debian FAQ
Debian 11 keeps the older base package in bullseye/main and delivers the newer patched Apache build through the default bullseye-security source. That is why apt-cache policy apache2 can show 2.4.62 from bullseye/main and 2.4.66 from bullseye-security at the same time.
Yes. If Apache already comes from Debian’s repositories, run sudo apt update followed by sudo apt install --only-upgrade apache2 -y. That keeps Apache on Debian’s package stream and is the right path for most servers.
Use extrepo for most Debian systems because it manages the repository definition for you. Use the manual DEB822 method when you want direct control over the .sources file. Do not configure both methods at the same time.
APT reports that error when the extrepo source file and the manual DEB822 source file both point to https://packages.sury.org/apache2/ with different key paths. Remove the method you are not using, then run sudo apt update again.
Conclusion
Apache is updated on Debian, whether you stayed on Debian’s package stream or moved to the Sury build. Next, secure Apache with Let’s Encrypt on Debian, add request filtering with install ModSecurity with Apache on Debian, or build out the stack with install WordPress with Apache on Debian.
This doesn’t work. The 2nd command:
curl -sSL https://packages.sury.org/apache2/README.txt | bash -x
results in:
dpkg: warning: ‘ldconfig’ not found in PATH or not executable
dpkg: warning: ‘start-stop-daemon’ not found in PATH or not executable
dpkg: error: 2 expected programs not found in PATH or not executable
Thanks for reporting this, brian. You encountered a known issue with the old installation method. The previous guide piped the Sury README.txt script through bash, which ran into PATH limitations in certain environments where
/sbinwas not included, preventingldconfigandstart-stop-daemonfrom being found.The article has been completely rewritten since your July comment. Instead of piping scripts, the guide now uses explicit commands to add the Sury repository using the modern DEB822 format:
This approach avoids the PATH issues you encountered and provides better control over what gets installed. Thanks for catching this. The feedback helped drive the rewrite to safer, more explicit installation steps.