Let’s Encrypt is a Certificate Authority (CA) and provides FREE certificates. As of 2017/05/29, the official tool to get a certificate with shell access is Certbot.
It’s great that certbot provides convenient plugins to install and certificates for command web server software, such as apache and nginx.
However, I would prefer to NOT let any other program to touch server process and configuration. So I choose --manual.
sudo certbot certonly --manual --preferred-challenges dns -d www.xyz.com,xyz.com
This works but renewing cert is a problem because of --manual.
An alternative way it to use --webroot when generating the certificates:
sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/example/ -d www.example.com,example.com
Set up a cron job for renewing the certificates:
0 3,15 * * * certbot renew --quiet --no-self-upgrade --webroot && apachectl graceful
Random Notes 