Subscribe:   RSS icon   twitter icon

Simple Setup for Let’s Encrypt

Lee Phillips
March 26th, 2022

This article describes a simple way to renew Let’s Encrypt certificates for those who manage a bunch of dynamic websites at different domains from a single Linux server.

The instructions are specific to Apache, but should apply with minor modifications to Nginx.

I’ll assume you have certbot installed and have your certificates in place.

I use the “webroot” method for renewing certificates, rather than the “spin up a webserver” method. The minor annoyance for me was that, as each website has a different URL scheme, a different location for its webroot, etc., and some are not even set up to serve static files, I had to examine each domain’s Apache configuration to figure out what to tell certbot so that it could authenticate the domain and renew its certificate, every time. Below I describe a simple method that unifies the procedure. After a little setup, I no longer have to look at each domain’s configuration or change anything to get its certificate renewed.

How certbot works

The rest of this article assumes you are logged in as root on your server.

To see the list of your certificates and when they expire, say certbot certificates. You will want to renew the ones that are valid for less than 30 days.

To renew the certificate for, use the command:

certbot certonly -d

The script will then offer you two choices. Choose the one that mentions using a webroot, rather than the one that mentions starting up a server.

Next you will see a question asking you the location of the domain’s webroot. This is the filesystem directory from which Apache will serve files when resolving the URL

Suppose you tell certbot that the webroot is /home/alex/. This directory must exist. It will then create the directory


if it doesn’t already exist. It will place a secret file inside that directory, and then confirm that it can reach that secret file by visiting the URL<secret_file>

In this way, certbot confirms that you control the website. If all goes well, you will have a new certificate valid for 90 days. If not, you’ll see a warning in the terminal.

For me, it was annoying that my websites all had different webroots, and that I had to reconfigure some of them so that .../.well-known/... was part of their URL scheme. This can happen in a dynamic website, where your URLs are intercepted by a program that runs procedures based on the URL. It’s less of an inconvenience with static websites, where Apache can directly map URLs to locations in the filesystem.

Here’s how I made it simpler to renew certificates. I’m eccentric and this setup may not be for everyone, but I like it. It makes the renew commands the same for each site, aside from the domain names themselves.

The setup

First, decide on a directory that you will tell certbot is the web­root for every domain. It doesn’t have to be the “real” webroot for any particular domain, but it needs to be accessible to Apache. You can just go with your home directory, in which case you’ll create


(if you are alex. Adjust as desired.)

Put a file in there for testing later. It can be called something like hi.txt and contain some text, such as “hello”. Set up the permissions on the directory and the file so that Apache can serve it.

Next come some additions to the Apache configuration file for each domain. Add the following lines the appropriate VirtualHost block in each configuration file:

Alias /.well-known/ /home/alex/.well-known/
<Directory /home/alex/.well-known/>
   Require all granted

(The Directory syntax changed a few years ago. This will have to be adjusted for Apache versions older than that.)

You need not change anything else. The Alias directive will bypass any (for example) WSGIScriptAlias directives, so this will work for both static and dynamic sites.

Next, restart the webserver. In your browser, navigate to

(or whatever test file you put in there) and you should see its contents. Repeat the check for each of your domains, to make sure. If this test doesn’t work, it’s probably a permissions problem. This must work before you try to renew your certificates.

Renewing your certificates the new, easy way

Now enter the

certbot certonly -d

command to renew, substituting the correct domain name. As before, select the webroot option, but when the script asks you for its location, tell it /home/alex/ (substituting whatever you decided to use).

You can now use this same fake webroot for each of your domains.

Share with Facebook Share with Twitter Share with Reddit Share with Slashdot
▶ Comment is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to
Quotilizer ... loading ...

Tenuously related:

The best tool for CVs with publication lists.