Different method to renew certificates that don't include access to the .well-known/acme-challenge directory?


#1

Thanks for any help.
I currently have access to old web server running nginx which I created a letsencrypt SSL certificate.

I’m attempting to move to a new server within the same domain that is running apache.

The original certificates were installed using a webroot method.
I was able to move the /usr/local/etc/letsencrypt directory from the old server to the new server preserving permissions.

Through a bunch of trial and error, I was able renew the certificates however the renewal process required access to the webroot/.well-known/acme-challenge directory to complete the process.

Is there another method I can use to renew the certificates that don’t require write access to this directory?


#2

You can specify a different root for the /.well-known/acme-challenge/ requests.
Then modify the webroot to match.

But from an ACME client view, it will always need to write to the:

You could also change it altogether - like by using DNS authentication.


#3

Question about DNS authentication. Is this type of service available for free? My understanding was this type of authentication works in general if you’ve bought space on a cloud host such as Amazon/Google/etc and running a server on their cloud. You then use the DNS servers on their site by which you can authenticate your installation.

Perhaps I’m incorrect in my thinking. If you are hosting a website independent of the cloud providers, then DNS authentication wouldn’t really work correctly?


#4

Yes, it’s certainly doable without paying anything.

There’s no requirement to use the same provider for both your DNS hosting and your website hosting. Plenty of websites use completely different providers for each. It’s a good practice.

There are some very good free DNS hosts like Cloudflare and others that you can find in this thread: DNS providers who easily integrate with Let's Encrypt DNS validation


#5

Hi @KevDog

the DNS authentication works always. Because every DNS provider should allow to add TXT entries.

So you can create a certificate without having a public visible webserver. http-01 validation requires something like webspace, dns-01 validation not.


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.