After having changed all my certificates because of SHA-1 becoming deprecated, I thought I’d go one step further: I heard Google is thinking of lowering the rank of sites that are not available over HTTPS, and let’s face it I can’t expect my root CA to be accepted by browsers. Time to install Let’s Encrypt!

On Debian a simple apt-get install certbot is enough, maybe along with python-certbot-apache if you have a simple setup. In my case Apache is hidden behind sslh (which sorts between HTTPS, ssh, xmpp and a few other things) and Certbot’s Apache module uses randomly generated SNI probes so that LetEncrypt’s server can check you actually own domains. So I couldn’t use the Apache module (which is a shame because it really is trivial to use).

[EDIT 12JUN2017: sslh now supports regular expressions on SNI probes, which allows to set up a redirection for Let’s Encrypt’s checks to Apache. So you should now be able to use the Apache module with sslh. I keep using the Webroot method because I have a vague feeling that it’s less intrusive to the Web, but mostly because it works as it is.]

Instead I used the Webroot module which creates files in the Web space of each domain to let LetEncrypt’s server find its challengs. That’s actually still pretty easy:

certbot certonly --webroot -w /var/www/yr -d -d

And just repeat for each domain.

Certbot in Debian comes with a cron in /etc/cron.d/certbot which should renew the certificates every few months, so I’ll have to check this actually works. For one, I’m not sure Apache will be restarted to pick up the changes (I think it won’t).