How to use LE on devices that cannot run webservers

Ok after reading the documentation, as well as doing a test installation on a Linux server. I am unable to generate a certificate. The problem being, I am trying to create a certificate for an F5 virtual server that I cannot run a webserver on. I also do not have access to my company’s DNS server.

Other forum topics state you can run LE on a linux server and then import the cert to whatever device you need. However there is no documentation on how to do this. I am running into the issue where my web address is being challenged, but since it doesn’t have a webserver and cannot run LE, how do I do find the challenge file after I have created the CSR on my linux machine? I think I need to then place the challenge file in my domain I am trying to validate… I think.

This seems to be a common problem, by really no comprehensive answer for. Can someone help?

Here are the instructions - but if you can’t modify DNS you will probably have some trouble.

Currently you simply need some kind of way of providing a file on port 80 or a special certificate on port 443 via TLS SNI on the host your domain resolves to, there’s no way around it. In the hopefully not too distant future another validation method will be creating a TXT DNS record inside your zone.

If you can provide none of this, it’s unlikely that you’ll ever be able to use Let’s Encrypt, sorry.

1 Like

Ok I think I understand. But how do you get the challenge file from the Linux box to my webserver. I mean, where is this file located? I see the request being made to the webserver looking for the challenge file, but the linux LE client never told it had generated this challenge file…

Have a look at the webroot mode, the standalone mode or the manual mode. They allow you to specify the document root, run its own server or instruct you on what to put where respectively.

ok let me take a look

ok I am looking through lets encrypt installation directory on my linux machine. But I don’t know what I need to host in:

What is the challenge file? Where is it located in the linux machine. I am following the Standard and/or manual method. I don’t think webroot will work for me as I am not running an apache server with the website hosted on my linux machine. My linux machine is not hosting the website, it is hosted on an iis server. My understanding is the IIS server just needs to have whatever the challenge file is in the /.well-known/acme-challenge/ path

Yes that’s right. I never ran it myself but I would expect the manual mode to tell the name and the content of the file you should create. It’s not static but returned by the server as you request authorization for a domain.

I believe manual mode gives you commands to start a standalone server. The contents to place in the directory are likely in the command. I’ve not tried the manual method yet, so I’m just going on what I’ve seen.

When I try to run manual mode I receive this in the linux console:

Command: ./letsencrypt-auto certonly --manual

Updating letsencrypt and virtual environment

Running with virtualenv:
/root/.local/share/letsencrypt/bin/letsencrypt --manual

Too many flags setting
configurators/installers/authenticators ‘standalone’ -> ‘manual’

Am I missing something, because the only thing the User manual says to do is run this command and everything should work. There is no other “official” documentation in the User Manual…

Reinstalling and trying again…

I just issued a manual certificate, here’s the command and what it looks like:

~/letsencrypt(branch:master) » ./letsencrypt-auto certonly \
\   -a manual \
\   -d mydomainhere \
\   --server
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/username/.local/share/letsencrypt/bin/letsencrypt certonly -a manual -d mydomainhere --server
[sudo] password for username:

Make sure your web server displays the following content at
http://mydomainhere/.well-known/acme-challenge/Nmx4bh80ug0hE2RNHGwiU8DGCqyDk8JL425sajwOJY4 before continuing:


If you don't have HTTP server configured, you can run the following
command on the target server (as root):

 **Curses screen with notice about recording IP removed**

Press ENTER to continue

 - Congratulations! Your certificate and chain have been saved at
1 Like

Ok we have it, let might write a short guide:

After installing Git and Let’s Encrypt:

In Dirextory: ~/src/letsencrypt# Command: ./letsencrypt-auto certonly --manual --text

(we specified --text to get rid of the blue screen stuff)

The output we recieved is:

Please enter in your domain name(s) (comma and/or space
separated) (Enter 'c’to cancel):

Are you OK with your IP being logged? Yes


Make sure your web server displays the following content at
before continuing:

If you are doing a manual installation and running a webserver somewhere else, like in IIS:
Then you will make a copy of the on-screen instructions and opened a 2nd console window and do the following:

mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html

printf “%s” (whatever our challenge code was)

$(command -v python2 || command -v python2.7 || command -v
python2.6) -c
“import BaseHTTPServer, SimpleHTTPServer;
s = BaseHTTPServer.HTTPServer((’’, 80),

BEFORE PRESSING ENTER: We had opened WinSCP and had to manually enter the path /tmp/letsencrypt/public_html/.well-known/acme-challenge because you cannot browse through winscp to this directory as it is hidden.

You then see your challenge files. These files need to be copied to your ISS server:

In our case we had an IIS server running on port 80: and created the virtual directory /.well-known/acme-challenge and placed the challenge files in that path.

THEN in the linux console you hit Enter to continue and you should see:



- Congratulations! Your certificate and chain have been
saved at /etc/letsencrypt/live/ Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again

… Some text ommitted

lrwxrwxrwx 1 root root 42 Dec 4 19:22
cert.pem -> …/…/archive/
lrwxrwxrwx 1 root root 43 Dec 4 19:22
chain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 47 Dec 4 19:22
fullchain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 45 Dec 4 19:22
privkey.pem -> …/…/archive/

You will then again need to manually browse in winSCP to this directory as it is hidden and you then have your free certificate

Sorry for the bad editing, but all the necessary info should be here: With this we were able to accomplish a few things. A manual certificate creation. A IIS server certificate installation, and an F5 device certificate installation.

What we did on our F5:

We have an F5 running on running on port 443 obviously. And on an internal network we just started up a window server and added the IIS service to host a webpage.

In the F5 we created a virtual server named with the same IP as our webtop link that accesses the internal network172.25.1.100 : (example: if we go to we arrive at our webtop and start a remote session to internal server at 192.168.1.x.) The virtual server is on port 80 and we created a pool with the internal address for our webserver)

Also note: and resolve to the same F5 webtop

By doing this we were able to resolve to our IIS landing page. In IIS, as I said we added the virtual directory /.well-know/ and added the directory /acme-challenge/ and added the created challenge file into this directory.

Sorry for rambling and the incoherentness of this post.

1 Like

And thank you all for the help. I hope this guide helps others clear up some things for others wanting to try this.