Letsencrypt

Webroot

/etc/apache2/vhosts.d/subdomain.example.com

[...]
    SSLEngine On
    SSLCertificateFile /etc/ssl/apache2/subdomain.example.com/subdomain.example.com.crt
    SSLCertificateKeyFile /etc/ssl/apache2/subdomain.example.com/subdomain.example.com.key

    # SSL security configuration
    Include /etc/apache2/vhosts.d/ssl_security.include

</VirtualHost>

/etc/apache2/vhosts.d/ssl_security.include

# Forward Secrecy
# Source: https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

# OCSP stapling
SSLUseStapling on

# Strict Transport Security (HSTS)
# 180 days
Header always set Strict-Transport-Security "max-age=15552000"

# Let's Encrypt (webroot)
<IfModule mod_headers.c>
  <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "application/jose+json"
  </LocationMatch>
</IfModule>

cronjob (first day every month at 12:00AM)

/etc/cron.d/letsencrypt

MAILTO="mail@example.com"
0 0 1 * *
letsencrypt certonly --webroot -w /var/www/subdomain.example.com/htdocs -d subdomain.example.com --renew-by-default