
From fakedWiki
Revision as of 09:27, 21 January 2016 by Jan (talk | contribs)
Jump to: navigation, search



email = info@example.com
agree-tos = true
authenticator = webroot
webroot-path = /etc/letsencrypt/webroot
text = true
renew-by-default = true


<IfModule mod_alias.c>
    Alias /.well-known/acme-challenge /etc/letsencrypt/webroot
<IfModule mod_proxy.c>
    ProxyPass /.well-known/acme-challenge !
<Directory /etc/letsencrypt/webroot>
  Require all granted
  Order deny,allow
  Allow from all
  Satisfy any

Make sure to run a2enconf letsencrypt && service apache2 reload after creating this config.

Proxy vHosts and Rewrite

You may have to keep the Alias URL from being proxied on some vHosts (place before all other relevant ProxyPass lines):

ProxyPass /.well-known/acme-challenge !

or if URLs are being rewritted, exclude it (place this line before the RewriteRule that will be used):

RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*$

Renew Script

Create the text file that the renew script uses to check if it's being able to access the Alias URL:

echo 'true' > /etc/letsencrypt/webroot/access.txt

And the renew scripts itself:


cd /opt/letsencrypt

for DOMAIN in $(ls -1 /etc/letsencrypt/live); do 
  ACCESS=$(curl -s -k "https://${DOMAIN}/.well-known/acme-challenge/access.txt")
  if [ ${ACCESS} == "true" ]; then
    echo "Updating certificate for ${DOMAIN}"
    SAN=$(openssl x509 -text -noout -in /etc/letsencrypt/live/${DOMAIN}/cert.pem | grep 'DNS:' | tr -d ' ,' | sed 's/DNS:/ -d /g')
    /opt/letsencrypt/letsencrypt-auto certonly ${SAN}
    echo "Can't access /.well-known on ${DOMAIN}"