I propose to solve this issue as follows:
Note: you may want to change 9999 to a different value
- make sure apache modules mod_proxy and mod_proxy_http are enabled
a2enmod proxy proxy_http
- add the following to the mod_proxy config file (usually /etc/apache2/mods-enabled/proxy.conf)
<IfModule mod_proxy.c> ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1 ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" <Location "/.well-known/acme-challenge/"> ProxyPreserveHost On Order allow,deny Allow from all Require all granted </Location> </IfModule>
-
if you have a local firewall running: make sure it won't block access from localhost to localhost:9999
-
run letsencrypt-auto with the http port set to 9999
letsencrypt-auto --agree-dev-preview --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 --server https://acme-v01.api.letsencrypt.org/directory certonly -d your-domain-here.tld
That way your standard apache will recognize the request from the letsencrypt server and forward it to the letsencrypt client if it's running.
Note: if the letsencrypt client is not running your local apache will recognize that during the proxy call and re-try to contact the local letsencrypt client only after a timeout of a minute. You can find a corresponding error message in the log. So if you try to "test" the setup using your browser make sure to wait a minute before actually running the letsencrypt client.
Again: If you manually call an url beginning with /.well-known/acme-challenge/ without having a letsencrypt client running at that moment and you then do not wait for a minute afterward => then the letsencrypt server may not be able to contact the letsencrypt client.
So just don't manually try to load an url beginning with /.well-known/acme-challenge/ and apache won't block the request from the letsencrypt server.
Added parameterretry=1
so this should not be an issue anymore