Prequisites:
A working unsecured website on port 80
If your server is behind a firewall you will need to open/forward port 443
A publicly accessible FQDN is configured for the site.
Enable ssl on apache;
sudo a2ensite default-ssl.conf
Installing certbot;
sudo apt install certbot python-certbot-apache
Use certbot to create a free certificate;
sudo certbot --apache certonly
Follow the prompts, they are self explanatory.
Note: This will break if the certbot cannot resolve your domain name properly. I have used the --certonly flag to stop certbot from editing apache configs because I prefer to do it myself. Apparently if you drop that flag you can skip the next step.
Once you are done you should have a shiny new certificate in /etc/letsencrypt/live/www.example.com/
Now, if you did not allow certbot to modify your apache configs you will need tell apache to use your new certificate.
Edit the file that contains the virtualhost configuration for your web site. The virtualhost section should look like this;
ServerName www.example.com
ServerAdmin brettg@tuxnetworks.com
DocumentRoot /var/www/html
(...)
Modify it to look like this;
ServerName www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
(...)
Restart your apache server and you should now be able to browse your site using https.
Note: If you want your site to work in both encrypted (SSL) mode as well as unsecured mode then when you are modifying the virtualhost config in apache copy that entire section to the end of the file and make the changes shown above in the new section