How to set up HTTPS (SSL) for self-hosted domain names

Recently (I'm writing this in September, 2016) I learned about a free, recognized certificate authority. Being an absolute miser myself, I never got around to paying for a certificate. Making your own certificate--which would be very doable--looks like absolute hell as all browsers stigmatize your un-trusted certificate like it's leprosy. Suddenly, there's a free certificate authority we can all use and get on with our lives.

I use Let's Encrypt. It's free and recognized. I tested my https-encrypted domains at ssllabs.com and got an 'A' (after some guided correction of my Apache server that ssllabs.com provides).

Here, I provide links to Let's Encrypt's instructions (and instructions for a tool of theirs called 'certbot'), and have annotated their instructions when they were unclear or when I messed something up. I made some awesome noob mistakes which I corrected. I've tried to be clear and detailed about what happened, things to be aware of; stuff like that.

Here is where to begin:
https://letsencrypt.org/getting-started/

They tell you to use the certbot program here (I'm on Ubuntu):
https://certbot.eff.org/#ubuntutrusty-apache

Here are all the instructions on that page pasted here, with some notes from me added:

(I installed my certbot-auto right in my ~/Downloads directory.)

Their instructions when I showed up on their page:

Since it doesn't seem like your operating system has a packaged version of Certbot, you should use our certbot-auto script to get a copy:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

certbot-auto accepts the same flags as certbot; it installs all of its own dependencies and updates the client code automatically. So you can just run:


$ ./certbot-auto

Get Started
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

-------------------------------------------------------------------------------
NOTE ADDED BY ME:
-------------------------------------------------------------------------------
I wanted https for two new domain names I registered: example1.com and example2.com. This lead to me misunderstanding some of the instructions given, and I had to correct them. Rather than explaining how I corrected my problems, I mainly just say how to do two domain names.

Also, I wanted to have https "do" the TLD (top level domain, like example1.com) and also the subdomain (like www.example1.com).

Probably don't use the following command (immediately after this note section) as-is (alternative given below)--I had a complication because I had two virtual hosts in each of two different virtual host files. That is, in /etc/apache2/sites-available I had one file called example1.com.conf which defined:


ServerName example1.com
DocumentRoot /var/www/html/www.example1.com

and in the same file...

ServerName www.example1.com
DocumentRoot /var/www/html/www.example1.com

(I did likewise for example2.com.conf)

Being a noob, I assumed both Server Names would be understood by Apache...

What certbot seemed to do was only capture the first ServerName and ignore the second. So I then had to figure out how to add www.example1.com manually with certbot. The manually-added www subdomain worked well, but the top level ones did not. I'm not going to describe the trouble-shooting I did, I had to clean up that confusion, which was somewhat involved because now there existed certificates for some but not the others (not going into explanation of that mess here).

Instead, here's how to do each one separately, manually:

Rather than relying on:

$ ./path/to/certbot-auto --apache // (as described immediately after this note section)

...instead, make a separate .conf file for each domain and each subdomain (so in this example, there will be 4 .conf files).

Then you can do this for each domain and domain-with-subdomain:

$ ./certbot-auto --apache -d www.example1.com
$ ./certbot-auto --apache -d example1.com
$ ./certbot-auto --apache -d www.example2.com
$ ./certbot-auto --apache -d example2.com

-------------------------------------------------------------------------------
now back to the instructions they give....
-------------------------------------------------------------------------------

$ ./path/to/certbot-auto --apache

If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:


$ ./path/to/certbot-auto --apache certonly

To learn more about how to use Certbot read our documentation.
Automating renewal
Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

./path/to/certbot-auto renew --dry-run

To really renew, do this:

~/Downloads $ sudo ./certbot-auto renew

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:

./path/to/certbot-auto renew --quiet --no-self-upgrade

More detailed information and options about renewal can be found in the full documentation.

Note:
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
======================================================================
===================done with text from that web site==========================
======================================================================

After certbot was finished, it told me to check my site at:

https://www.ssllabs.com/ssltest/analyze.html?d=example1.com

...which rated my site as B, so I followed their instructions and googled stuff, and got it up to an A-, then an A. :^D

====================If your web server is behind a router======================
you need to port-forward port 443 to the computer where the web server is running. Since this was my first time, I didn't realize https wasn't going to come in on port 80, but rather on port 443. That makes sense because it's a different protocol from http.