Let's Encrypt

https://letsencrypt.org/ offers free signed 90 day SSL certificates which are trusted by the browser, just like a pay-for certificate signed by other CA's - with the option to create multi-domain certs if you control all the domains. (This site uses a Let's Encrypt certificate).

Because the certificate is valid only for 90 days, it is important to use the scripted automation to authorize and renew the certificate.

1. If the certbot command is not available in your package manager, use the certbot-auto command by installing it locally.

Your home directory needs to be /root, so use 'sudo -i' or 'su -' 
The directory '/home/ian/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
# cd /usr/local/sbin
# wget https://dl.eff.org/certbot-auto
# chmod +x certbot-auto
# ./certbot-auto --help

2. Add a weekly script to perform the renewals 

# echo '#!/bin/bash

sleep $(( $RANDOM % 1800 ))

logger "Start: $0"

' >> /etc/cron.weekly/letsencrypt-renew
# chmod u+x /etc/cron.weekly/letsencrypt-renew

3. Run a manual certificate authorization/installation. certbot is able to modify the apache config, but my configuration was too complicated - so I later modify the apache config manually. 

/usr/local/sbin/certbot-auto certonly --webroot --webroot-path /var/www -d braindump.ca -d www.braindump.ca -d braindump.mrzesty.net
Here the first -d is the certificate name and file name, and later -d options are additional names (AltNames) that are valid for the certificate.
openssl x509 -text -in /etc/letsencrypt/live/braindump.ca/cert.pem | grep -A1 Alternative
            X509v3 Subject Alternative Name: 
                DNS:www.braindump.ca, DNS:braindump.mrzesty.net, DNS:braindump.ca

4. 

echo '/usr/local/sbin/certbot-auto renew --deploy-hook "systemctl reload apache2"' >> /etc/cron.weekly/letsencrypt-renew
For verification, the authorization process puts a file into the DocumentRoot which their servers attempt to retrieve.
66.133.109.36 - - [20/Dec/2015:12:27:57 -0500] "GET /.well-known/acme-challenge/j8DDJgtt26GzSSOZ5DuQGQtVuKj9ZyqJohVbP-YS1cc HTTP/1.1" 200 298 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

5. Manually configure apache to redirect non-SSL requests to the new VirtualHost where SSL is enabled. 

<VirtualHost *:80>
        ServerName braindump.ca
        ServerAlias www.braindump.ca braindump.mrzesty.net

        DocumentRoot /var/www/
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !/.well-known/.*
        RewriteRule (.*) https://%{HTTP_HOST}$1 [R]
</VirtualHost>

<VirtualHost *:443>
...
        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/braindump.ca/cert.pem
        SSLCertificateChainFile /etc/letsencrypt/live/braindump.ca/chain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/braindump.ca/privkey.pem
</VirtualHost>

6. You can repeat steps 5-6 for any additional SSL certificates for other public sites on the server.

/etc/cron.weekly/letsencrypt-renew: 

#!/bin/bash

sleep $(( $RANDOM % 1800 ))

logger "Start: $0"

/usr/local/sbin/certbot-auto renew --deploy-hook "systemctl reload apache2"

logger "End: $0"