How to Upgrade Apache on Ubuntu 26.04, 24.04 and 22.04

Ubuntu’s Apache packages are stable, but production sites sometimes need a newer upstream point release before it reaches the Ubuntu archive. To upgrade Apache on Ubuntu without building from source, use Ondrej Sury’s third-party APT repository, then verify the package source, service state, and rollback path before putting the server back into traffic.

Use packages.sury.org for this Apache upgrade, not the old Launchpad ppa:ondrej/apache2 entry that still shows up in search results. Sury has Apache 2.4.67 builds for Ubuntu 26.04, 24.04, and 22.04, so keep one Apache source instead of mixing old and new repository entries.

Upgrade Apache on Ubuntu

Start by refreshing package metadata from the currently enabled sources. If Apache is not installed yet and you do not specifically need Sury’s newer branch, use Install Apache on Ubuntu for the standard Ubuntu archive path instead.

sudo apt update

These package-management commands need sudo privileges. If your account is not allowed to use sudo yet, add the account with Add a New User to Sudoers on Ubuntu before continuing.

Check the Current Apache Version and Source

Check the installed Apache version first. The command prints the runtime version, not the newest package available from APT.

apache2 -v

Server version: Apache/2.4.58 (Ubuntu)
Server built:   2026-05-05T13:22:45

Then check which repository owns the selected apache2 candidate.

apt-cache policy apache2

apache2:
  Installed: 2.4.58-1ubuntu8.12
  Candidate: 2.4.58-1ubuntu8.12
  Version table:
 *** 2.4.58-1ubuntu8.12 500
        500 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.58-1ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages

On a fresh host where Apache is not installed, apache2 -v returns command not found and apt-cache policy apache2 shows Installed: (none). That state is normal before installing or upgrading the package.

Confirm the Ubuntu Codename and Architecture

The Sury source file uses Ubuntu’s codename in the Suites: field. Confirm the codename and CPU architecture before writing the repository file.

grep '^VERSION_CODENAME=' /etc/os-release
dpkg --print-architecture

VERSION_CODENAME=resolute
amd64

The Sury Apache package indexes currently provide the core apache2 package for Ubuntu 26.04 on amd64 and arm64, plus Ubuntu 24.04 and 22.04 on amd64, arm64, and armhf. The guarded source block stops before writing an APT source on unsupported release and architecture combinations.

Remove an Older Ondrej Launchpad PPA Entry

Older instructions used ppa:ondrej/apache2. If that Launchpad PPA is still configured, remove it before adding the packages.sury.org source so APT does not carry two definitions for the same Apache package family.

if grep -Rqs 'ondrej/apache2' /etc/apt/sources.list /etc/apt/sources.list.d; then
  sudo apt install software-properties-common
  sudo add-apt-repository --remove -y ppa:ondrej/apache2
  sudo apt update
fi

For broader PPA cleanup patterns, use Remove a PPA from Ubuntu. Continue with the packages.sury.org source after the old Launchpad entry is gone.

Add the Sury Apache Repository on Ubuntu

Install the small prerequisite set, then download the Sury Apache signing key to a local file before installing it into APT’s keyring directory. The curl command in Linux guide explains the -fsSLo flags if you need to adapt this download pattern for another repository.

sudo apt install ca-certificates curl
curl -fsSLo deb.sury.org-apache2.gpg https://packages.sury.org/apache2/apt.gpg
sudo install -m 0644 deb.sury.org-apache2.gpg /usr/share/keyrings/deb.sury.org-apache2.gpg
rm -f deb.sury.org-apache2.gpg

Load the release metadata in the current shell and print the values APT will use.

. /etc/os-release
ARCH="$(dpkg --print-architecture)"
printf 'Using suite: %s\nUsing architecture: %s\n' "$VERSION_CODENAME" "$ARCH"

Using suite: resolute
Using architecture: amd64

Create the DEB822 source file. The block allows only the release and architecture combinations where the current Sury Apache package index contains the apache2 package.

. /etc/os-release
ARCH="$(dpkg --print-architecture)"

case "$VERSION_CODENAME:$ARCH" in
  resolute:amd64|resolute:arm64|noble:amd64|noble:arm64|noble:armhf|jammy:amd64|jammy:arm64|jammy:armhf)
    printf '%s\n' \
      'Types: deb' \
      'URIs: https://packages.sury.org/apache2/' \
      "Suites: $VERSION_CODENAME" \
      'Components: main' \
      "Architectures: $ARCH" \
      'Signed-By: /usr/share/keyrings/deb.sury.org-apache2.gpg' | sudo tee /etc/apt/sources.list.d/apache2.sources > /dev/null
    ;;
  *)
    printf 'This Apache repository workflow does not cover %s on %s.\n' "$VERSION_CODENAME" "$ARCH" >&2
    false
    ;;
esac

Refresh APT after the source file is written.

sudo apt update

Confirm that the Sury repository now supplies the selected Apache candidate.

apt-cache policy apache2

apache2:
  Installed: (none)
  Candidate: 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327
  Version table:
     2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327 500
        500 https://packages.sury.org/apache2 resolute/main amd64 Packages
     2.4.66-2ubuntu2.1 500
        500 http://archive.ubuntu.com/ubuntu resolute-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu resolute-security/main amd64 Packages
     2.4.66-2ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu resolute/main amd64 Packages

Back Up Apache Configuration Before Upgrading

Back up /etc/apache2 before replacing the package family, especially on servers with custom modules, MPM changes, virtual hosts, or local snippets.

if [ -d /etc/apache2 ]; then
  sudo cp -a /etc/apache2 "/etc/apache2.backup.$(date +%Y%m%d-%H%M%S)"
fi

The package transaction can restart Apache, so schedule the upgrade for a maintenance window on production hosts. Review APT’s transaction summary before confirming; unexpected removals usually indicate mixed repositories, held packages, or a stale package source.

Install or Upgrade Apache from Sury

Install the apache2 package after the Sury source is active. On a host that already has Apache installed, APT upgrades apache2, apache2-bin, apache2-data, and apache2-utils to the Sury build.

sudo apt install apache2

Relevant transaction lines from a clean Ubuntu 26.04 install show the Sury Apache packages while keeping the APR dependency packages from the Ubuntu archive.

The following additional packages will be installed:
  apache2-bin apache2-data apache2-utils libapr1t64 libaprutil1-dbd-sqlite3
  libaprutil1-ldap libaprutil1t64
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapr1t64
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libaprutil1t64

Verify the Apache Upgrade

Check the runtime version after the package transaction finishes.

apache2 -v

Server version: Apache/2.4.67 (Ubuntu)
Server built:   2026-05-05T19:55:35

Confirm the installed package came from the Sury repository.

apt-cache policy apache2

apache2:
  Installed: 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327
  Candidate: 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327
  Version table:
 *** 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327 500
        500 https://packages.sury.org/apache2 resolute/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.66-2ubuntu2.1 500
        500 http://archive.ubuntu.com/ubuntu resolute-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu resolute-security/main amd64 Packages

Run Apache’s configuration parser before restarting the service.

sudo apachectl configtest

Default installs can also print an AH00558 ServerName warning. Treat the parser check as successful when the stable success line is Syntax OK.

Syntax OK

Restart Apache only after the syntax check passes, then confirm that systemd sees the service as active.

sudo systemctl restart apache2
systemctl is-active apache2

active

Check the listener if the server should answer HTTP or HTTPS traffic locally.

sudo ss -tuln | grep -E ':(80|443)\b'

tcp   LISTEN 0      511                *:80              *:*

Compare Apache Versions and Package Sources on Ubuntu

Apache’s official download index currently lists Apache HTTP Server 2.4.67 as the current source release. The Sury repository packages that branch for Ubuntu, while Ubuntu archive packages remain on the distro-maintained branch for each LTS release.

Ubuntu Release	Codename	Ubuntu Archive Apache	Sury Apache
Ubuntu 26.04 LTS	resolute	Apache 2.4.66	Apache 2.4.67
Ubuntu 24.04 LTS	noble	Apache 2.4.58	Apache 2.4.67
Ubuntu 22.04 LTS	jammy	Apache 2.4.52	Apache 2.4.67

The Sury repository is useful when the Apache point release matters more than staying on Ubuntu’s packaged branch. Ubuntu archive packages remain the lower-risk default for servers that do not need the newer branch because they receive Ubuntu security maintenance through the standard update channel.

Manage Apache Updates from the Sury Repository

Once the Sury source remains enabled, normal APT maintenance includes future Sury Apache packages. Run the usual update and upgrade commands when you are ready to apply package updates.

sudo apt update
sudo apt upgrade

Check the candidate before upgrading a production server if you want to see whether Apache is part of the pending transaction.

apt-cache policy apache2

Automatic patching needs separate unattended-upgrades policy for third-party origins. Use Configure unattended upgrades on Ubuntu if you want APT-managed updates to run without a manual login.

Restore Ubuntu Archive Apache Packages

Removing the Sury source is not enough to downgrade Apache because the installed Sury package can still appear as APT’s local candidate. Use a temporary Ubuntu-origin pin, downgrade the Apache package family, then remove the pin after the archive packages are restored.

Run a configuration backup before downgrading if the server has changed since the upgrade. Downgrades can replace package-owned configuration files and module snippets, and the transaction can restart Apache.

sudo rm -f /etc/apt/sources.list.d/apache2.sources
sudo rm -f /usr/share/keyrings/deb.sury.org-apache2.gpg

Create the temporary pin that makes Ubuntu archive packages outrank the locally installed Sury packages.

printf '%s\n' \
'Package: apache2 apache2-*' \
'Pin: release o=Ubuntu' \
'Pin-Priority: 1001' | sudo tee /etc/apt/preferences.d/apache2-ubuntu-downgrade.pref > /dev/null

Refresh APT and confirm the Ubuntu archive version is now the selected candidate.

sudo apt update
apt-cache policy apache2

apache2:
  Installed: 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327
  Candidate: 2.4.66-2ubuntu2.1
  Version table:
 *** 2.4.67-1~deb13u1+0~20260505.21+ubuntu26.04~1.gbp627327 100
        100 /var/lib/dpkg/status
     2.4.66-2ubuntu2.1 1001
        500 http://archive.ubuntu.com/ubuntu resolute-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu resolute-security/main amd64 Packages

Downgrade the Apache package family. APT should show DOWNGRADED for these packages before you confirm the transaction.

sudo apt install --allow-downgrades apache2 apache2-bin apache2-data apache2-utils

Remove the temporary pin after the downgrade, then test and restart Apache.

sudo rm -f /etc/apt/preferences.d/apache2-ubuntu-downgrade.pref
sudo apachectl configtest
sudo systemctl restart apache2
apache2 -v

Relevant lines include the parser result and restored Apache runtime version.

Syntax OK
Server version: Apache/2.4.66 (Ubuntu)
Server built:   2026-05-05T13:04:33

On Ubuntu 24.04, the restored version should return to Apache 2.4.58. On Ubuntu 22.04, it should return to Apache 2.4.52.

Troubleshoot Apache Upgrade Issues on Ubuntu

Troubleshooting should identify the failing layer before changing packages again. Start with the repository state, then check Apache configuration, service logs, and listener conflicts.

Fix Missing Release File or Wrong Repository Errors

If apt update reports a missing Release file for ppa.launchpadcontent.net/ondrej/apache2, the system is still using the older Launchpad PPA. Remove that PPA and keep only the packages.sury.org source for this workflow.

grep -R "ondrej/apache2\\|packages.sury.org/apache2" /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null

The expected active source should reference packages.sury.org/apache2.

/etc/apt/sources.list.d/apache2.sources:URIs: https://packages.sury.org/apache2/

If the error references an unsupported codename or architecture, rerun the codename and architecture check before writing the source file again.

grep '^VERSION_CODENAME=' /etc/os-release
dpkg --print-architecture

Fix Sury Key or Signature Errors

A NO_PUBKEY or signature error usually means the keyring path in the source file does not match the installed key file. Reinstall the key and refresh APT.

curl -fsSLo deb.sury.org-apache2.gpg https://packages.sury.org/apache2/apt.gpg
sudo install -m 0644 deb.sury.org-apache2.gpg /usr/share/keyrings/deb.sury.org-apache2.gpg
rm -f deb.sury.org-apache2.gpg
sudo apt update

If APT still reports a signature error, inspect the source file and confirm the Signed-By: value is exactly /usr/share/keyrings/deb.sury.org-apache2.gpg.

cat /etc/apt/sources.list.d/apache2.sources

Resolve Apache Module or Configuration Failures

Run the parser before restarting Apache. A failed syntax check normally names the file, line, directive, or module that needs attention.

sudo apachectl configtest

AH00526: Syntax error on line 12 of /etc/apache2/sites-enabled/example.conf:
Invalid command '<VirutalHost', perhaps misspelled or defined by a module not included in the server configuration

Open the referenced file, fix the typo or stale directive, then rerun the parser and restart Apache only after the parser returns Syntax OK.

sudo nano /etc/apache2/sites-enabled/example.conf
sudo apachectl configtest
sudo systemctl restart apache2

If the error names a module file, list enabled modules and reinstall or disable the package that owns the failing module.

sudo apachectl -M | sort
dpkg -S /usr/lib/apache2/modules/mod_rewrite.so

Debug Apache Service Start Errors

Use systemd and the Apache error log to separate package failures from site configuration errors. The tail command examples are useful when you need to follow the error log while retrying a restart.

sudo systemctl status apache2 --no-pager
sudo journalctl -u apache2 -n 50 --no-pager
sudo tail -n 50 /var/log/apache2/error.log

After fixing the reported issue, retest the same service path.

sudo apachectl configtest
sudo systemctl restart apache2
systemctl is-active apache2

Relevant lines include the parser result and service state.

Syntax OK
active

Detect Port Conflicts After the Upgrade

Apache cannot bind to ports 80 or 443 when another service already owns those sockets. Check listeners before changing firewall rules or editing virtual hosts.

sudo ss -tulpn | grep -E ':(80|443)\b' | sed -E 's/,pid=[0-9]+//g'

tcp   LISTEN 0 511 0.0.0.0:80    0.0.0.0:*    users:(("nginx",fd=6))
tcp   LISTEN 0 511 0.0.0.0:443   0.0.0.0:*    users:(("nginx",fd=7))

Stop or reconfigure the conflicting service only when it is not supposed to handle web traffic on that host.

sudo systemctl stop nginx
sudo systemctl start apache2
systemctl is-active apache2

Recover from Interrupted Apache Package Transactions

A cancelled package transaction can leave Apache unpacked but not configured. Repair package state first, then rerun the Apache install or upgrade command.

sudo dpkg --configure -a
sudo apt --fix-broken install
sudo apt install apache2

If APT reports held Apache packages, inspect the holds before clearing them. Remove only the Apache holds you intentionally set and want to release for this upgrade.

apt-mark showhold
sudo apt-mark unhold apache2 apache2-bin apache2-data apache2-utils

Conclusion

Apache is running from the Sury APT repository with package-source checks, configuration parsing, service verification, and a tested downgrade path back to Ubuntu’s archive packages. Next, secure public sites with Let’s Encrypt on Ubuntu, restrict access with UFW firewall rules, or add ModSecurity with Apache on Ubuntu when an application-layer firewall fits the site.