LetsEncrypt Free SSL

Acmetool (Golang client)
# Add aliases to your web server for all domains you need cert:
# > mkdir -p /data/.acme 
# nginx:
#  location /.well-known/acme-challenge/ { alias /data/.acme/; }
# httpd:
#  Alias /.well-known/acme-challenge/ /data/.acme/
# or make symlink
# > ln -sf /data/.acme /data/www/site.com/.well-known/acme-challenge

# install
# get latest version here: https://github.com/hlandau/acme/releases
# unpack and copy binary:
cp -a bin/acmetool /usr/local/bin/

# run the quickstart wizard. Sets up account, cronjob, etc.
acmetool quickstart

# add domains you need and fetch certificates
acmetool want site.com www.site.com api.site.com devel.site.com

# check
acmetool status

# add autorenew to cron 
echo "1 1 * * sat root acmetool" >> /etc/crontab

# tool automatically reloads nginx/apache on cert renewal via hooks in /usr/libexec/acme/hooks/
# you can add email sending from there
# ex: echo Success | mail -s "[Acmetool] SSL certificates updated on ${HOSTNAME}" -r "[email protected]" [email protected]

# certs can be found here:
#  /var/lib/acme/live/domain.com/

# nginx config:
#    listen 443 ssl http2;
#    ssl_certificate     /var/lib/acme/live/domain.com/fullchain;
#    ssl_certificate_key /var/lib/acme/live/domain.com/privkey;

# for apache dont forget about not redirecting to https on acme challenge:
# RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge/.*

Certbot (Python client)
# Add aliases to your web server for all domains you need cert:
# nginx:
#  location /.well-known/ { alias /usr/share/nginx/html/.well-known/; }
# httpd:
#  Alias /.well-known/ /usr/share/nginx/html/.well-known/

# install certbot
yum install certbot -y

# create certificates
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d yourdomain.local -d www.yourdomain.local -d sub2.yourdomain.local

# to add new domain use
certbot certonly --quiet --expand -a webroot --webroot-path=/usr/share/nginx/html -d yourdomain.local -d www.yourdomain.local -d sub2.yourdomain.local -d newsub.yourdomain.local

# update manually every 90 days
certbot renew --quiet --no-self-upgrade

# or add to cron to automatically update certs
echo "1 1 * * sat root certbot renew --quiet --no-self-upgrade" >> /etc/crontab

# certs can be found here
#
# /etc/letsencrypt/live/yourdomain/...
#