====== CertBot Certificate ======


===== Install =====

Since Certbot is packaged for your system, all you'll need to do is apt-get the following packages.

First you'll have to follow the instructions here to enable the Jessie backports repo, if you have not already done so. 

For jessie add this line
<code bash>
deb http://ftp.debian.org/debian jessie-backports main
</code>
to your **sources.list** (or add a new file with the ".list" extension to /etc/apt/sources.list.d/) 

Then do:

<code bash>
$ sudo apt-get install python-certbot-apache -t jessie-backports
</code>
===== Get Started =====

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

<code bash>
$ certbot --apache
</code>
Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it. If you're feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:

<code bash>
$ certbot --apache certonly
</code>
<note important>
**__Note__**

the apache plugin with **certonly** does the following:
  * make temporary config changes (adding a new vhost to pass an ACME Challenge, and enabling mod_ssl if necessary)
  * performs a graceful reload
  * reverts all changes
  * performs another graceful reload
This appears to be a reliable process, but if you don't want Certbot to touch your Apache process or files in any way, you can use the webroot plugin.
To learn more about how to use Certbot read our documentation.</note>

We can now run Certbot to get our certificate. We'll use the --standalone option to tell Certbot to handle the challenge using its own built-in web server. The --preferred-challenges option instructs Certbot to use port 80 or port 443. If you're using port 80, you want --preferred-challenges http. For port 443 it would be --preferred-challenges tls-sni. Finally, the -d flag is used to specify the domain you're requesting a certificate for. You can add multiple -d options to cover multiple domains in one certificate.

<code bash>
sudo certbot certonly --standalone --preferred-challenges http -d example.com
</code>

In our case :

<code bash>
sudo certbot certonly --standalone -d example.com
</code>


===== Automating renewal =====

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

<code bash>
certbot renew --dry-run
</code>