Simple Setup for Let’s Encrypt
This article describes a simple way to renew Let’s Encrypt certificates for those who manage a bunch of dynamic websites at different domains from a single Linux server.
The instructions are specific to Apache, but should apply with minor modifications to Nginx.
I’ll assume you have certbot
installed and have your certificates in place.
I use the “webroot” method for renewing certificates, rather than the “spin up a webserver” method. The minor annoyance for me was that, as each website has a different URL scheme, a different location for its webroot, etc., and some are not even set up to serve static files, I had to examine each domain’s Apache configuration to figure out what to tell certbot
so that it could authenticate the domain and renew its certificate, every time. Below I describe a simple method that unifies the procedure. After a little setup, I no longer have to look at each domain’s configuration or change anything to get its certificate renewed.
How certbot
works
The rest of this article assumes you are logged in as root on your server.
To see the list of your certificates and when they expire, say certbot certificates
. You will want to renew the ones that are valid for less than 30 days.
To renew the certificate for example.com
, use the command:
certbot certonly -d example.com
The script will then offer you two choices. Choose the one that mentions using a webroot, rather than the one that mentions starting up a server.
Next you will see a question asking you the location of the domain’s webroot. This is the filesystem directory from which Apache will serve files when resolving the URL https://example.com/
.
Suppose you tell certbot that the webroot is /home/alex/
. This directory must exist. It will then create the directory
/home/alex/.well-known/acme-challenge/
if it doesn’t already exist. It will place a secret file inside that directory, and then confirm that it can reach that secret file by visiting the URL
https://example.com/.well-known/acme-challenge/<secret_file>
In this way, certbot
confirms that you control the website. If all goes well, you will have a new certificate valid for 90 days. If not, you’ll see a warning in the terminal.
For me, it was annoying that my websites all had different webroots, and that I had to reconfigure some of them so that .../.well-known/...
was part of their URL scheme. This can happen in a dynamic website, where your URLs are intercepted by a program that runs procedures based on the URL. It’s less of an inconvenience with static websites, where Apache can directly map URLs to locations in the filesystem.
Here’s how I made it simpler to renew certificates. I’m eccentric and this setup may not be for everyone, but I like it. It makes the renew commands the same for each site, aside from the domain names themselves.
The setup
First, decide on a directory that you will tell certbot
is the webroot for every domain. It doesn’t have to be the “real” webroot for any particular domain, but it needs to be accessible to Apache. You can just go with your home directory, in which case you’ll create
/home/alex/.well-known/acme-challenge/
(if you are alex. Adjust as desired.)
Put a file in there for testing later. It can be called something like hi.txt
and contain some text, such as “hello”. Set up the permissions on the directory and the file so that Apache can serve it.
Next come some additions to the Apache configuration file for each domain. Add the following lines the appropriate VirtualHost
block in each configuration file:
Alias /.well-known/ /home/alex/.well-known/
<Directory /home/alex/.well-known/>
Require all granted
</Directory>
(The Directory
syntax changed a few years ago. This will have to be adjusted for Apache versions older than that.)
You need not change anything else. The Alias
directive will bypass any (for example) WSGIScriptAlias
directives, so this will work for both static and dynamic sites.
Next, restart the webserver. In your browser, navigate to
https://example.com/.well-known/acme-challenge/hi.txt
(or whatever test file you put in there) and you should see its contents. Repeat the check for each of your domains, to make sure. If this test doesn’t work, it’s probably a permissions problem. This must work before you try to renew your certificates.
Renewing your certificates the new, easy way
Now enter the
certbot certonly -d example.com
command to renew, substituting the correct domain name. As before, select the webroot option, but when the script asks you for its location, tell it /home/alex/
(substituting whatever you decided to use).
You can now use this same fake webroot for each of your domains.