Requirements: o This assumes that acme-tiny is cloned to ~/acme-tiny o Furthermore, that there is a ~/acme-challenge and that is aliased in apache: | Alias "/.well-known/acme-challenge" "/srv/letsencrypt/acme-challenge" o Also, we want an account key in ~: (umask 277 && ! [ -e account.key ] && openssl genrsa 4096 > account.key) o And you want the letsencrypt chain file letsencryptauthorityx1.pem in ~/certs/extra o Optionally, a dh file in ~/certs/extra/dh-4096.pem openssl dhparam -out ~/certs/extra/dh-4096.pem 4096 o And you want this bin directory in PATH for your letsencrypt role user. Usage: o vhost-step-1 creates a new key, a new csr, and creates a .crt file o After that, enable your new vhost o vhost-step-2 then does the letsencrypt challenge stuff, and updates the .crt file Continued maintenance: o run renew-as-required from cron, probably using chronic.