Let’s encrypt

Install

Get Certbot the linux client.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

I recommend installing it in:

mv certbot-auto /opt/certbot-auto

Create an alias for it:

alias certbot-auto='/opt/certbot-auto'

Refresh bash:

. ~/.bash_profile

Setup

Allow HTTPS to your server:

Port 443

Enable SSL module:

sudo a2enmod ssl

Add your naked example.conf and www-example.conf.

Try letting certbot-auto setup everything. This will create both example-le-ssl.conf and www-example-le-ssl.conf .

certbot-auto --cert-name example.com -d example.com,www.example.com --apache --redirect

Edit example.conf and example-le-ssl.conf to redirect to https://www.example.com:

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Make sure your .htaccess (in your app’s root) doesn’t have any weird redirect. Otherwise you’ll get:

The client lacks sufficient authorization

Auto renew

The cert expires in 90 days. Create a crontab to check everyday:

0 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade
12 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade

Renewal will fail if there are any redirects from HTTP to HTTPS.

References

redirect http to https

certbot user guide