Example of how to setup Let's Encrypt on RHEL / CentOS and automate certificate rewnewal

01_setup_lets_encrypt.sh

#!/bin/bash

EMAIL=john.doe@example.com
DOMAINS=example.com,www.example.com,foo.example.com,example.org.example.net,www.example.org,www.example.net

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
mkdir -p /var/lib/letsencrypt/global-webroot

# Setup the global alias
echo "Alias /.well-known/acme-challenge /var/lib/letsencrypt/global-webroot/.well-known/acme-challenge" >> /etc/httpd/conf/httpd.conf
apachectl configtest && apachectl graceful

# Create the cron job
cat > /etc/cron.monthly/renew-letsencrypt.sh <<End-of-message
#!/bin/bash

DOMAINS=$DOMAINS
/root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains \$DOMAINS && /usr/sbin/apachectl graceful
# On CentOS/RHEL 6 running Python 2.6 add the "--debug" argument
End-of-message
chmod 755 /etc/cron.monthly/renew-letsencrypt.sh

# Install letsencrypt by running it the first time and generate the cert
./letsencrypt-auto certonly --agree-tos --email $EMAIL --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains $DOMAINS
# On CentOS/RHEL 6 running Python 2.6 add the "--debug" argument

02_text_to_add_to_every_apache_virtualhost.conf

    SSLEngine on
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Header always set Strict-Transport-Security "max-age=15768000"

03_apache_conf_for_reverse_proxies.conf

<VirtualHost *:443>
    # This VirtualHost shows how to bypass the reverse proxy with ProxyPassMatch
    SSLEngine on
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Header always set Strict-Transport-Security "max-age=15768000"

    DocumentRoot /var/www/html
    ServerName example.com

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy *>
    Order deny,allow
        Allow from all
    </Proxy>

    # Add this to allow Let's Encrypt to validate control of the site
    ProxyPassMatch ^/\.well-known/acme-challenge/.* !
    ProxyPass / http://localhost:8080/ connectiontimeout=300 timeout=300
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>

<VirtualHost *:443>
    # This VirtualHost shows how to bypass the reverse proxy with RewriteRule
    SSLEngine on
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    Header always set Strict-Transport-Security "max-age=15768000"

    DocumentRoot /var/www/html
    ServerName example.com

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy *>
    Order deny,allow
        Allow from all
    </Proxy>

    <Proxy balancer://myapp>
        BalancerMember http://127.0.0.1:8080
    </Proxy>

    # Add this to allow Let's Encrypt to validate control of the site
    RewriteRule ^/\.well-known/acme-challenge/.*$ - [last]
    RewriteRule ^/(.*)$ balancer://myapp%{REQUEST_URI} [P,QSA,L]
</VirtualHost>

04_cron_monthly_rewnew_letsencrypt.sh

#!/bin/bash

DOMAINS=example.com,www.example.com,foo.example.com,example.org.example.net,www.example.org,www.example.net
/root/.local/share/letsencrypt/bin/letsencrypt certonly --agree-tos --renew-by-default --webroot --webroot-path /var/lib/letsencrypt/global-webroot --domains $DOMAINS && /usr/sbin/apachectl graceful