Set up the following directory structure (look at the others there as an example):

$ sudo tree -a /var/www/well-known
/var/www/well-known
+-- example.com
|   \-- .well-known -> .
\-- www.example.com -> example.com

For your regular HTTP site (non-SSL) add the following to your <VirtualHost/> block:

Include /etc/apache2/conf-available/well-known.conf

Now reload Apache for your configuration to take effect.

Finally run:

sudo certbot certonly --webroot -w /var/www/well-known/example.com -d example.com -d www.example.com

N.B. you can append many more sub-domains on there if you want to use use multiple domains in the same certificate

Now go back to your <VirtualHost/> block for your domain and make the opening look like:

<VirtualHost *:80 *:443>

Now slip into in the following lines into the block its-self:

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Finally, do one last reload and you should have a secure site (with your non-secure site redirecting to the secure one).

Simply a case of running:

sudo certbot certonly --standalone --standalone-supported-challenges http-01 -d marmot.wormnet.eu -d imap.wormnet.eu -d smtp.wormnet.eu

You will need to shut down any webserver listening on 80/tcp or 443/tcp. N.B. on marmot sslh is listening on 443; it's ok to shut down apache2 only.

Then you can tie in the certs at:

• /etc/exim4/exim4.conf.template: tls_certificate and tls_privatekey
• /etc/imapd.conf: tls_cert_file and tls_key_file
• /etc/imapd-http.conf: tls_cert_file and tls_key_file