Let’s Encrypt is a Certificate Authority (CA) that issues free SSL certifications. I have used these certificates on web servers, cloud functions, load balancers, and many more.

In this article I will show how to obtain an SSL certificate from Let’s Encrypt for Apache running on Debian 9 running on a Google Compute Engine VM instance.

This article assumes that you have already setup HTTPS on your Apache web server and that you have enabled both HTTP and HTTPS firewall rules.

Step 1 – Update the Debian Software Repository

Append this line to the bottom of the file:

Update your packages list:

Step 2 – Install Let’s Encrypt Certbot Agent

Step 3 – Verify Apache SSL Configuration

Verify that your ssl configuration file has the correct ServerName for your web site domain:

Verify your Apache server configuration files:

Reload the Apache configuration:

Example ssl.conf file:

Note: The above example has a self-signed certificate for testing SSL before requesting a real certificate.

Step 4 – Obtain an SSL Certificate

Run the follow command. Change to use your real domain names. Usually you will want both the naked domain (example.com) and the subdomain (www.example.com) in your SSL certificate.

Provided that you have your DNS server setup correctly pointing to this server for both example.com and www.example.com, Certbot will issue, download and install an SSL certificate.

Step 5 – Setup Auto Renewal of Certificate

Let’s Encrypt SSL certificates are valid for 90 days. The Certbot package supports automatically renewing certificates for us. The above Certbot command automatically setup cron for us.

Run this command to verify auto renewal:

This is an example cron script that is automatically setup for SSL certificate renewal.

Conclusion

Let’s Encrypt and their easy to use tool Certbot make issuing and installing SSL certificates very easy. Certbot sets the system up to automatically renew the certificate. The best feature of all is that these certificates are free and supported by all major browsers and third party software.