After only a few months of life, as of March 2016, I have reconfigured this site to use HTTPS using the relatively new Let's Encrypt free certificate service. Certus Technology is looking to encrypt all it's web sites, both public and internal, and we are experimenting with the Let's Encrypt service. A few points have come out of this experiment.

1. The Let's Encrypt client installs way more packages than expected.
2. The client works satisfactorily on both Debian Jessie and Debian Wheezy.
3. The client expects an apache config file to be in place with the options I have been using, which is a bit of a barrier to automation as there is a chicken and egg problem with the apache virtual host file and the https certificate. We have yet to fully automate a deployment from a puppet manifest.
4. The root certificates for Let's Encrypt are in all the major browsers, but not in the Oracle JDK, which means extra work is required to use Java, and say, Apache HTTPClient with sites encrypted with Let's Encrypt certificates.

We have added the Let's Encrypt certificates into a JDK thus:

cd ${JAVA_HOME}
keytool -trustcacerts -keystore jre/lib/security/cacerts -storepass changeit -noprompt -importcert \
 -file /etc/letsencrypt/live/<site name>/chain.pem