Well, after a few weeks - life interfered - and two more days of Google, trial and error, and frustration, I seem to have a secure web site. Or at least a secure Apache placeholder page.
Or at least an Apache placeholder page that this says is secure, but which Firefox thinks is not due to “mixed content.”
Thank to the authors of the twenty-seven different web pages and how-tos that I have bookmarked for future reference.
I’ll wrap this up with a some specific observations. I’ve worked in a few highly technical situations, including training and supporting end users, and even drafting documentation, so feel I can speak out on this.
This is important stuff, not some half-baked Wordpress plugin that rotates cat pictures. If the certificate is not configured right the consequences can be large and dangerous.
To the vast majority of end users there is no distinction between “LetsEncrypt” and “Certbot.” The LE pages imply that the latter is a function of the former, and any ordinary person will assume that they are one project.
End users don’t need or want to be lectured on the distinction. They just want to make the thing work.
- It’s pretty obvious that LE/CB expect a moderately high level of knowledge, and some specific levels of user access. These things (as has been pointed out) need to be front and centre on the “Get Started” page. (You need This software installed; this level of access to your server; and the skills to do these tasks.)
If the folks behind LE/CB don’t want to support less skilled users they should post a big, nasty warning to scare them off.
- Regardless of who LE/CB wants as end users of their products, there has got be a single source for reliable, authoritative information. In a crunch it should be possible to get most common questions answered on either the LE or CB web sites.
Trolling though dozens of Google results is almost always a recipe for disaster.
What I will suggest, based on a lot of years of different projects that are structurally similar, is this:
Whoever is making decisions at the topmost regions of LetsEncrypt and/or CertBot need to sit down and decide who their intended user base is.
It doesn’t honestly matter whether they want to serve the high priests of server land, or the guy with a five page GoDaddy web site on shared hosting, but it does matter that, having made that decision, they ensure that resources are available to draft the best possible support materials, suitable for the skills and knowledge level of the intended audience.
Until then there’s a strong indication that language like “It’s free, automated, and open” and “automates away the pain and lets site operators turn on and manage HTTPS with simple commands” should be removed because it seems to misrepresent what is being offered.
And one final note. “Well, it worked for me,” is not, and never will be an adequate response to anything.