Let’s Encrypt is an automated certificate authority providing free of charge, domain-validated TLS certificates that are obtained using the ACME protocol.

Debian 8 (Jessie) Howto

• Enable backports: https://backports.debian.org/Instructions/
• Install certbot: https://certbot.eff.org/#debianjessie-apache
  • apt-get install python-certbot-apache -t jessie-backports
  • certbot –apache
    • Optionally: follow certbot instructions and enable quiet cron job or follow up
• Optionally enable Perfect Forward Secrecy: https://www.sslplus.de/wiki/Wie_konfiguriert_man_Apache_2.x_f%C3%BCr_Perfect_Forward_Secrecy
  • edit “/etc/apache2/mods-available/ssl.conf” and uncomment “SSLHonorCipherOrder on”

Debian 9 (Stretch) Howto

You can install certbot from the main repository. You can also install some useful plugins to make the getting certificates for nginx or apache easier.

• python-certbot-apache – Apache plugin for Certbot
• python-certbot-nginx – Nginx plugin for Certbot

user@computeruser@computer$ sudo apt install certbot

user@computeruser@computer$ sudo apt install python-certbot-apache

or

user@computeruser@computer$ sudo apt install python-certbot-nginx

The default version of certbot that is available in the repository will result in the following error message if you try to run certbot –apache:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

As discussed in the LetsEncrypt Forums this is due to a security issue that existed in the old client.

In order to make a certificate for apache you can use the following command:

sudo certbot –authenticator standalone –installer apache \
  -d  –pre-hook “service apache2 stop” –post-hook “service apache2 start”

In order to make a certificate for nginx you can use the following command:

sudo certbot –authenticator standalone –installer nginx \
  -d <domain> –pre-hook “service nginx stop” –post-hook “service nginx start”