This is a historical record of the setup I used in 2016 — acme.sh and Apache on Debian Jessie. It worked reliably at the time. For a modern approach using Docker and Traefik, see the followup post.

Let's Encrypt had just left beta and was issuing free, trusted SSL certificates for websites. The official Certbot client wasn't yet packaged for Debian Jessie, so I used one of the alternative clients — a simple bash script: https://github.com/Neilpang/acme.sh

With this script you can get everything done in about 5 minutes.

For this guide, assume everything runs as root and that:

/root/.acme.sh/acme.sh   # where the client scripts live
mysite.com               # the domain you want a certificate for
/mnt/www/mysite.com      # the webroot for your site
/etc/apache2             # Apache installation with config files

Step 1 — Download the client

Go to (or create) /root/.acme.sh/acme.sh and run:

git clone https://github.com/Neilpang/acme.sh

If you don't have git, download the files manually from the project page and unpack them.

Step 2 — Create a symlink for convenience

ln -s /root/.acme.sh/ /etc/apache2/letsencrypt

Step 3 — Issue the certificate

Make sure your site is reachable from the internet, then:

./acme.sh issue /mnt/www/mysite.com/ mysite.com

Or, if you have aliases (e.g. www.mysite.com):

./acme.sh issue /mnt/www/mysite.com/ mysite.com www.mysite.com

If your site was accessible, you'll receive a certificate. The files will be saved to:

/root/.acme.sh/mysite.com/

Step 4 — Configure Apache

Point Apache to the new certificates in your virtual host config:

SSLCACertificateFile  /etc/apache2/letsencrypt/mysite.com/ca.cer
SSLCertificateFile    /etc/apache2/letsencrypt/mysite.com/mysite.com.cer
SSLCertificateKeyFile /etc/apache2/letsencrypt/mysite.com/mysite.com.key

Then reload Apache:

service apache2 reload

Your site should now be served with a Let's Encrypt certificate.

Step 5 — Auto-renewal

Certificates are valid for 90 days. To renew automatically, create an executable script, e.g. acme_cron:

#!/bin/sh
/root/.acme.sh/acme.sh/acme.sh cron >> /var/log/le-renew.log
service apache2 reload

Drop it in /etc/cron.daily and you're done.

holas.pl with a Let's Encrypt certificate

The process isn't complicated — once set up, renewal is fully automatic.

This setup served well until I moved everything to Docker. The modern approach using Traefik handles Let's Encrypt automatically — no scripts, no cron, no manual config. More on that: Let's Encrypt with Docker and Traefik.