Let's Encrypt is free and easy SSL certificates for the almost- masses. Through a few simple commands, you'll have free domain validated SSL certificates.

Let's Encrypt also offers free wildcard ssl certifcates, if you have a supported DNS provider. Sadly I don't, yet. (GratisDNS)

This approach assumes you already have a web server with root or admin access. If you don't have a web server already, feel free to take a look at the server and web server setup guides.

Getting started

Go to: https://certbot.eff.org and select your software and server. Follow the customized installation guide.

You're new ready to start creating certificates.

Create certificate:

Run this command to create your first certificate:

sudo certbot --apache certonly

This will ask you which domain to include in the certificate. It will then generate and install the certificate on your server. When the process ends, certbot will tell you the exact location of your new certificate. You'll need this to enable the certificate in Apache.

Note: the certificate expire after 90 day - remember to set up automatic renewal. It's easy.

Enable certificates in Apache

If you created your new certificate successfully, you now have all the certificate files on your server, but you need to tell Apache to use these certificates when your sites are visited.

This is done in the VirtualHost configuration for each site. If you already had an SSL certificate on your server, you just need to update two lines in your configuration:

SSLCertificateFile /etc/letsencrypt/live/#your-cert-path#/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/#your-cert-path#/privkey.pem

If you did not have an SSL certificate, you'll need to enable SSL for the individual VirtualHosts as well. You can do that by adding these lines:

SSLEngine on SSLCertificateFile /etc/letsencrypt/live/#your-cert-path#/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/#your-cert-path#/privkey.pem SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
Header always add Strict-Transport-Security "max-age=15768000"

Now restart Apache and you're ready to go https.

To add domains to an existing certificate

sudo certbot --apache certonly

This will list all the available domains.

Simply add existing and new domains to one list as prompted. Next, you will be prompted to merge the new domains into the existing certificate configuration.

Certbot will choose the name of the first selected domain as it's certificate file name. If you want to expand the domain list, you must select the domain used in the current certificate file.

To delete certificate:

sudo certbot delete

This will give you the option to choose which certificate to delete.

To renew cetificates

First test your setup by running this test command:

sudo certbot renew --dry-run

If it succeeds then you can add the automatic renewal command to your root crontab:

certbot -q renew

Certificates are only renewed if they are less than 30 days from expiry, so I recommend you run the cronjob once a week. Fx. to run the cronjob every Monday at 3AM:

0 3 * * 1 certbot -q renew

That's it.