Let's Encrypt
One of the main problems with SSL adoption is the cost of SSL certificates. Let's Encrypt aims to allow everyone to obtain SSL certificates for free.
They would prefer you to run a script, as root, which will obtain the certificate, and update your webserver config files.
I'm sure it works very well, but that sort of thing makes me a bit twitchy. I prefer to run it in the certonly mode, which doesn't munge config files.
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly --webroot -w /home/domain.tld/site/ -d domain.tld -d www.domain.tldThis will generate a 3 month certificate, and save it in /etc/letsencrypt/live/domain.tld/
If you have a problem with authentication, it might be that you haven't allowed Apache to serve up the small file it adds to $webroot/.well-known/acme-challenge/$randomfile in order to prove that you own the domain.
<Location /.well-known/acme-challenge> Allow From All ProxyPass ! </Location>
You can then set your Apache site config to load the keys from that location.
<VirtualHost *:443> SSLCipherSuite DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA SSLEngine on SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem ServerName domain.tld DocumentRoot /home/domain.tld/site ....Restart/reload Apache, and you should be rocking and rolling, SSL style.
If you want to use name-based virtual hosting on SSL, remember to enable it with
NameVirtualHost *:443 SSLStrictSNIVHostCheck offSet up a cronjob to obtain a new certificate every 2 months (and I'm guessing Apache needs restarting in order to pick up the new certs), and you're golden. Head over to https://www.ssllabs.com/ssltest/ and make sure that your SSL config is decent - you should be aiming for a B at least.
calum.org isn't currently using Let's Encrypt certificates, but it won't be long.
One thing I'm not sure if they support is internal websites (i.e. intranet style ones) that aren't connected to the public Internet.