Specifically, these instructions suit the Bitnami Debian (Jessie) image, at 2017-07-10.
There are conflicting instructions, eg to install python-certbot-apache from jessie-backports repository. Unfortunately, the repository has a version of python-certbot-apache whose dependencies in the repo are totally broken.
So it’s necessary to get certbot from git & use the certbot-auto script to download dependencies.
Login to your server via ssh and:
#cd /tmp #git clone https://github.com/certbot/certbot #cd certbot/ #./certbot-auto
You’ll get this:
Failed to find executable apache2ctl in PATH: /opt/bitnami/varnish/bin: /opt/bitnami/sqlite/bin:/opt/bitnami/php/bin:/opt/bitnami/mysql/bin: /opt/bitnami/apache2/bin:/opt/bitnami/common/bin:/opt/bitnami/varnish/bin: /opt/bitnami/sqlite/bin:/opt/bitnami/php/bin:/opt/bitnami/mysql/bin: /opt/bitnami/apache2/bin:/opt/bitnami/common/bin:/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin: /sbin:/bin:/snap/bin Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
So then it’s up to you to do as suggested. For example, to get a certificate for the Homunculoid website I did:
./certbot-auto certonly --webroot -w /var/www/html/ -d homunculoid.com
Enter your email address, and with luck, success:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/homunculoid.com/fullchain.pem. Your cert will expire on 2017-10-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The final step is to install the certificates into Apache & restart the server:
cd /opt/bitnami/apache2/conf rm server.crt server.key ln -s /etc/letsencrypt/live/homunculoid.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt ln -s /etc/letsencrypt/live/homunculoid.com/privkey.pem /opt/bitnami/apache2/conf/server.key /opt/bitnami/ctlscript.sh restart apache
The LetsEncrypt certs need to be renewed every 90 days, which is a nuisance. Fortunately, to renew the certs only requires:
#cd /tmp/certbot/ #./certbot-auto #or, if it does not find your webroot: #certbot-auto certonly --webroot -w /var/www/html/ -d homunculoid.com
Since the certbot is needed on an ongoing basis, you should probably also move /tmp/certbot to /usr/local/ or somewhere a little more permanent than /tmp.