Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on an Ubuntu 16.04 server running Apache as a web server.

We need to add a repository, for this first of all install the software-properties-common package. For our Ubuntu version, I also had to install the python-software-properties package:

apt-get install software-properties-common python-software-properties

Then then add the PPA, update your sources, and upgrade your the package:

add-apt-repository ppa:certbot/certbot
apt-get update

And finally, install Certbot from the new repository with apt-get:

apt-get install python-certbot-apache

The certbot Let's Encrypt client is now ready to use.

Set Up the SSL Certificate

Generating the SSL certificate for Apache using Certbot is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the command:

certbot --apache -d yourdomain.ltd

If you have multiple virtual hosts, you should run this command once for each to generate a new certificate for each.

Verifying Certbot Auto-Renewal

By default, SSL certificates issued by Let’s Encrypt are valid for 90 days. So it is recommended to renew the certificate before the expiration date. However, the certbot package we installed takes care of this for us by running certbot renew twice a day via a systemd timer.

To test the renewal process, you can do a dry run with certbot:

certbot renew --dry-run

If you see no errors, you're all set. When necessary, certbot will renew your certificates and reload Apache to pick up the changes.