Let’s Encrypt is a Certificate Authority (CA) that issues free SSL certifications. I have used these certificates on web servers, cloud functions, load balancers, and many more.

In this article I will show how to obtain an SSL certificate from Let’s Encrypt for Apache running on Debian 9 running on a Google Compute Engine VM instance.

This article assumes that you have already setup HTTPS on your Apache web server and that you have enabled both HTTP and HTTPS firewall rules.

Step 1 – Update the Debian Software Repository
vi /etc/apt/sources.list

Append this line to the bottom of the file:

deb http://ftp.debian.org/debian stretch-backports main

Update your packages list:

sudo apt update
Step 2 – Install Let’s Encrypt Certbot Agent
sudo apt install python-certbot-apache -t stretch-backports
Step 3 – Verify Apache SSL Configuration

Verify that your ssl configuration file has the correct ServerName for your web site domain:

ServerName  example.com
ServerAlias www.example.com

Verify your Apache server configuration files:

sudo apache2ctl configtest

Reload the Apache configuration:

sudo systemctl reload apache2

Example ssl.conf file:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
	ServerName            example.com
	ServerAlias           www.example.com
	SSLEngine             on
	SSLCertificateFile    "/certs/server.crt"
	SSLCertificateKeyFile "/certs/server.key"
	SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol           All -SSLv2 -SSLv3
	SSLHonorCipherOrder   On
	SSLSessionTickets     Off
</VirtualHost>

Note: The above example has a self-signed certificate for testing SSL before requesting a real certificate.

Step 4 – Obtain an SSL Certificate

Run the follow command. Change to use your real domain names. Usually you will want both the naked domain (example.com) and the subdomain (www.example.com) in your SSL certificate.

sudo certbot --apache -d example.com -d www.example.com

Provided that you have your DNS server setup correctly pointing to this server for both example.com and www.example.com, Certbot will issue, download and install an SSL certificate.

Step 5 – Setup Auto Renewal of Certificate

Let’s Encrypt SSL certificates are valid for 90 days. The Certbot package supports automatically renewing certificates for us. The above Certbot command automatically setup cron for us.

Run this command to verify auto renewal:

sudo certbot renew --dry-run

This is an example cron script that is automatically setup for SSL certificate renewal.

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Conclusion

Let’s Encrypt and their easy to use tool Certbot make issuing and installing SSL certificates very easy. Certbot sets the system up to automatically renew the certificate. The best feature of all is that these certificates are free and supported by all major browsers and third party software.