Let’s encrypt


Get Certbot the linux client.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

I recommend installing it in:

mv certbot-auto /opt/certbot-auto

Create an alias for it:

alias certbot-auto='/opt/certbot-auto'

Refresh bash:

. ~/.bash_profile


Allow HTTPS to your server:

Port 443

Enable SSL module:

sudo a2enmod ssl

Add your nakeddomain.conf and wwwdomain.conf.

Try letting certbot-auto setup everything. You only need to create a cert for www.

certbot-auto --apache --redirect

Try the certonly command next:

certbot-auto certonly --webroot -w /app/directory/ -d www.example.com -d example.com

Make sure your .htaccess (in your app’s root) doesn’t have any weird redirect. Otherwise you’ll get:

The client lacks sufficient authorization

Auto renew

The cert expires in 90 days. Create a crontab to check everyday:

0 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade
12 5 * * * /opt/certbot-auto renew --quiet --no-self-upgrade

Renewal will fail if there are any redirects from HTTP to HTTPS.


redirect http to https

certbot user guide