Let's Encrypt is a certification authority that went live in 2015 and provides free X.509 certificates for use of Transport Layer Security (TLS). This closes a big gap in the use of encrypted web content. Because either the certificates offered by commercial trust centers were only affordable for large companies and organizations, or lacked the support of browser manufacturers at free certification bodies, such as CAcert. Because despite valid certificates CAcert not every browser displayed a trust relationship.
In addition, Let's Encrypt has developed scripts that nearly automate the certification process. So all steps described here are script-based, so that even technically less experienced administrators of a website can create SSL-based websites. Even the registration with the certification authority is omitted.

To automate the certification, Let's Encrypt uses the Automatic Certificate Management Environment (ACME) challenge-response mechanism. Various requests are made either to subpages on the web server or direct DNS queries to the domain to be certified. In both cases, a token previously created by Let's Encrypt is either publicly stored on a special subpage on the web server or as the TXT resource record of the DNS of the respective domain and queried by Let's Encrypt servers in succession. The response with the tokens ensures that the claimant controls the web server or directly the DNS server and its associated domain (domain validation).

By deploying Certbot, an easy-to-use, automated client that retrieves and provides SSL / TLS certificates for Web servers, the certification process is automated to the extent that certificates are generated based on the domains configured on the Web server and the Web server is configured accordingly ,

Installation and configuration

Certbot is available within the official Debian Apt repositories.

~# apt-get update
~# apt install -y certbot

Apache2 and the Python script for Certbot are then installed on Apache, if not already done.

~# apt-get install apache2 python-certbot-apache

For other systems and web servers, certbot.eff.org offers further installation routines.

The configuration of Let's encrypt is now interactive and very easy to do compared to the first versions

~# certbot run --apache

If virtual hosts have already been created and configured for the domains on the web server, Certbot will detect them and ask for which domain names HTTPS should be enabled. If the web server is not yet configured, the domain name is entered manually.

If you want to specify a specific name for the certificate, the command is as follows

~# certbot run --apache --certname certificate1.example.com

Certbot then creates a new Apache configuration file for the new virtual HTTPS host. In the interactive configuration, the client asks whether all HTTP requests should be redirected to HTTPS. If the client agrees, it creates the corresponding configuration file in /etc/apache2/sites-available/ with the extension -le-ssl.conf. The Apache2 service is then restarted as usual.

~# systemctl restart apache2

If not all domains are to be recorded in a certificate, then the unwanted domains can be deselected. The certificates for the deselected domains are generated in a second call to certbot.

If you already have SSL web pages configured to be replaced, you must remove the full SSL virtualhost directives.