1. https://www.greencom.com.tw

Renew SSL 憑證

# /usr/share/letsencrypt/letsencrypt-auto renew

install

# yum install gcc libffi-devel python-devel openssl-devel git

# yum install gcc libffi-dev python-dev git

# cd /usr/share

# git clone https://github.com/letsencrypt/letsencrypt letsencrypt

# cd /usr/share/letsencrypt

# ./letsencrypt-auto --apache -d greencom.com.tw -d www.greencom.com.tw

# service httpd restart

# /etc/httpd/sites-available/www.greencom.com.tw.conf

NameVirtualHost 59.125.229.2:80

# Virtual host Virtual Host greencom.com.tw
<VirtualHost 59.125.229.2:80>
        ServerAdmin root@greencom.com.tw
        DocumentRoot /gcroot/www/zp_fortune
        ServerName www.greencom.com.tw
        ServerAlias greencom.com.tw
        Redirect 301 / https://www.greencom.com.tw/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost 59.125.229.2:443>
        ServerAdmin root@greencom.com.tw        
        DocumentRoot /gcroot/www/zp_fortune
        ServerName www.greencom.com.tw
        ServerAlias greencom.com.tw
RewriteEngine On
RewriteCond %{HTTP_HOST} ^greencom\.com.tw$ [NC]
RewriteRule ^(.*)$ http://www.greencom.com.tw/$1 [R=301,L]
        ServerSignature email
        DirectoryIndex index.php index.html index.htm index.shtml
        ErrorLog logs/gctwww_error_log
        CustomLog logs/gct_www_access_log combined
        CustomLog /dev/null common
SSLCertificateFile /etc/letsencrypt/live/greencom.com.tw/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/greencom.com.tw/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/greencom.com.tw/chain.pem
</VirtualHost>
</IfModule>

Note: if /etc/httpd/conf.d/ssl.conf 已有申請openssl 認證 在此要改為  Let's Encrypt 的認證

[root@greencom letsencrypt]# ./letsencrypt-auto --apache -d greencom.com.tw -d www.greencom.com.tw
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/greencom.com.tw.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for greencom.com.tw
tls-sni-01 challenge for www.greencom.com.tw
Waiting for verification...
Cleaning up challenges
Deploying Certificate for greencom.com.tw to VirtualHost /etc/httpd/sites-enabled/www.greencom.com.tw-le-ssl.conf
Deploying Certificate for www.greencom.com.tw to VirtualHost /etc/httpd/sites-enabled/www.greencom.com.tw-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://greencom.com.tw and
https://www.greencom.com.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=greencom.com.tw
https://www.ssllabs.com/ssltest/analyze.html?d=www.greencom.com.tw
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/greencom.com.tw/fullchain.pem. Your cert will
   expire on 2017-10-16. To obtain a new or tweaked version of this
   certificate in the future, simply run letsencrypt-auto again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
 

Certificate for just a subdomain

Yes indeed, just request the certificate for the subdomain you want. So if you want a cert for only secure.mydomain.com then just request that one certificate. When you need a cert for another subdomain private.mydomain.com at a later date then request it when needed. My root domain spans across 4 Ubuntu servers, some run mail, some run web sites and each server has it's own certbot installation and it's own subdomain level certs. So I request those certs as follows

sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 -m dnsadmin@mydomain.com -d secure.mydomain.com --renew-by-default