步骤1：设置Apache2虚拟主机文件

为了使我们能够在运行Apache2的Ubuntu 服务器上自动安装其免费的SSL/TLS证书，将网站配置文件配置为我们要用于SSL/TLS的相应域名。

打开网站配置文件，并确保它包含要获取免费SSL/TLS证书的域名。

sudo nano /etc/apache2/sites-available/example.com

填写使用SSL的域名：

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com
. . . .
. . . .
</VirtualHost>

保存文件并关闭。

Let’s Encrypt 是证书颁发机构（CA），为拥有有效域或者网站的任何人提供免费SSL/TLS证书。

第3步：获取免费SSL/TLS证书

完成Let’s Encrypt 安装和配置。
Let’s Encrypt 现在提供Apache2客户端来自动执行此过程。

再次，确保正确设置APACHE2配置。
对于网站配置文件，请确保定义了ServerName和ServerAlias。

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/example.com/
     ServerName example.com
     ServerAlias www.example.com
. . . .
. . . .
</VirtualHost>

确认这些设置后，继续下面以获取域名的证书。

要获取Let's Encrypt SSL/TLS客户端，运行以下命令

sudo apt-get install python-certbot-apache

获取免费的Let’s Encrypt SSL/TLS证书

sudo certbot --apache -m admin@example.com -d example.com -d www.example.com

运行上述命令后，应提示我们提示我们接受许可条款。
如果检查了一切，客户端应自动安装免费的SSL/TLS证书并配置Apache2站点以使用证书。

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2015.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
------------------------------------------------------------------------------
(A)gree/(C)ancel: A

选择是（y）以共享我们的电子邮件地址

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend doirtal rights.
------------------------------------------------------------------------------
(Y)es/(N)o: Y

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

选择选项2将所有流量重定向HTTPS。

之后，SSL客户端应安装证书并配置网站以将所有流量重定向到HTTPS

Congratulations! You have successfully enabled https://example.com and
https://www.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
------------------------------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2015-02-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG/Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

下面的代码是由Let's Encrypt Certbot自动添加到Apache2 WordPress配置文件中。

<VirtualHost *:80>   
  ServerAdmin admin@example.com
     DocumentRoot /var/www/html/wordpress/
     ServerName example.com
     ServerAlias www.example.com
     <Directory /var/www/html/wordpress/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

它还创建域的新配置文件，名为/etc/apache2/sites-available/example.com-le-ssl.conf。
这是Apache2 SSL模块配置文件，并应包含其中定义的证书定义。

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/wordpress/
     ServerName example.com
     ServerAlias www.example.com

      <Directory /var/www/html/wordpress/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

我们必须手动续订证书。
当证书即将到期时，我们将获得电子邮件提醒。
要测试续订进程运行以下命令。

sudo certbot renew --dry-run

要设置一个自动续订证书的过程，可以添加Cron作业以执行续订进程。

sudo crontab -e

然后添加下面的行并保存。

0 1 * * * /usr/bin/certbot renew & > /dev/null

Cron工作将尝试在到期前30天更新

第2步：安装Let’s Encrypt 客户端

要让我们在Ubuntu机器上加密免费的SSL/TLS证书，我们应该首先安装它的客户端。
客户端自动化此过程。
要安装它，请运行以下命令。

sudo apt-get install python-certbot-apache