But one of the options i have is to generate nginx vhost with https default so i redirect http to https. But i generate a https vhost with self-signed ssl cert first as a placeholder and then when acme.sh gets letsencrypt ssl certificate, i swap out the self-signed ssl cert for letsencrypt ssl cert. If letsencrypt verification fails, it automatically falls back to the self-signed ssl placeholder certs.
This works fine for non-https default issuances. But seems i ran into problem for http to https default redirects. The acme.sh and letsencrypt are reporting failure to connect to domain and i suspect it’s because letsencrypt doesn’t see my placeholder https default self-signed cert as valid ?
== Info: Connection #0 to host domain.com left intact == Info: Issue another request to this URL: 'https://domain.com/.well-known/acme-challenge/MP7ezQ6O3BO9CJjpeyQh_j_gTDeyXhOP7c3xBT9S5_o' == Info: About to connect() to domain.com port 443 (#1) == Info: Trying IPADDRESS... == Info: connected == Info: Connected to domain.com (IPADDRESS) port 443 (#1) == Info: Initializing NSS with certpath: sql:/etc/pki/nssdb == Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none == Info: Certificate is signed by an untrusted issuer: 'CN=domain.com,OU=domain.com,O=domain.com,L=Los Angeles,ST=California,C=US' == Info: NSS error -8172 == Info: Closing connection #1 == Info: Peer certificate cannot be authenticated with known CA certificates == Info: Closing connection #0 [Sat Sep 17 00:16:22 UTC 2016] ret='60' [Sat Sep 17 00:16:22 UTC 2016] Debugging, skip removing: /home/nginx/domains/domain.com/public/.well-known [Sat Sep 17 00:16:22 UTC 2016] pid LECHECK = 1