LetsEncrypt adding new Cert without killing Service

I have a Problem. I use LetsEncrypt for my HTTPS Certificates and every Time i adding a new Cert or Update a existing one i must stop my HTTP Server on Port 80 and starting the LetsEncrypt Script.

I want to add new certs and update the old ones but without killing the Service on Port 80 (in my example Passanger).

Is there a way to do it?

In general, yes.

Exactly how depends on your setup / configuration. LetsEncrypt basically needs to prove ownership of the domain by displaying given files on http / https ( in yourdomain.com/.well-known/acme-challenge/file ) so it should affect the normal running of your website. You will need to reload the configuration after getting the new certs, but that should generally be a reload rather than a stop and restart.

If you're using the Let's Encrypt client, you're probably using standalone mode right now, which does require you to stop the existing web server (because it provides an alternative/replacement for it for verification purposes). There are other modes that don't have this requirement, such as webroot and manual modes. If one of those modes works for you, it might address your concern.

There are also other clients out there

Some of them will also not require you to shut down your existing server, depending on the verification method used.

1 Like

the webroot method should fit your needs.

letsencrypt certonly --email asdf@asdf -d yourdomain --webroot --webroot-path /var/www/ (where /var/www is the folder which can be accessed at http://yourdomain/)

Hi there,

Just started messing about with letsencrypt for real today, and I had a problem like you where the domain was taken by an application. In my case I’m using nginx (apache should work the same) as a reverse proxy for my app running at port 9999.

app.example.com => reverse proxy => localhost:9999

Since nginx does the reverse proxy handling, it should also take care of the SSL termination. I think it makes sense.

I set up a location rule on my nginx config to handle the acme-challenges.

server {
    listen 80;
    server_name app.example.com;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /opt/ssl-challenge/ 
    }
}

# And a server for 443 ssl

This is a common folder on my server for all acme-challenges. When I now run my update script, letsencrypt puts some stuff in that acme-challenge-directory which is accessible alongside my running application. After switching out my certs with new ones, I simply run $ service nginx reload, which loads in my new certificates without the server ever going down.

I put up my simple (not pretty) setup on github: https://github.com/jarlefosen/letsencrypt-nginx-setup
Under nginx in my repo, you’ll see an example for the reverse proxy config.

Hope this can be of any help.