Install: see: https://wiki.debian.org/LetsEncrypt

I needed to add

deb http://ftp.debian.org/debian jessie-backports main

to /etc/apt/sources.list.

Then, provided that apache is running and the virtual host works as it currently is:

certbot certonly --webroot -d notes.smuvelious.org

You are prompted for the path and if everything works:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/notes.smuvelious.org/fullchain.pem. Your cert
   will expire on 2017-04-20. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then fix the configuration so that the certificates are referenced and we force use of SSL.

<VirtualHost *>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
        ServerAdmin roger@disruptive.org.uk
        ServerName notes.smuvelious.org
        ServerAlias notes.smuvelious.org
        DirectoryIndex index.html
        DocumentRoot /home/roger/WEB/notes/
        <Directory /home/roger/WEB/notes/>
        XBitHack on
                Options Indexes FollowSymLinks MultiViews Includes
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog /var/log/apache2/notes-error.log
        CustomLog /var/log/apache2/notes.log    combined
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin roger@disruptive.org.uk
        ServerName notes.smuvelious.org
        ServerAlias notes.smuvelious.org
        DirectoryIndex index.html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/archive/notes.smuvelious.org/cert1.pem
        SSLCertificateKeyFile /etc/letsencrypt/archive/notes.smuvelious.org/privkey1.pem
        SSLCertificateChainFile /etc/letsencrypt/archive/notes.smuvelious.org/chain1.pem
        DocumentRoot /home/roger/WEB/notes/
        <Directory /home/roger/WEB/notes/>
        XBitHack on
                Options Indexes FollowSymLinks MultiViews Includes
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog /var/log/apache2/notes-error.log
        CustomLog /var/log/apache2/notes.log combined
</VirtualHost>

It appears that renewals get done automatically after 60 days. But… the new certificates will be cert2.pem etc so the apache config files need to be updated manually.