Restore /var/lib/letsencrypt/.well-known

Hi all,

I restored a server I lost from a backup. Unfortunately, I didn’t keep any copy of /var/lib/letsencrypt/.well-know content (everything else is ok).

It’s no big deal for my existing domains as there’s no need for a new validation. But I want to add a couple of new domains that will need to get validated.

I tried to run certbot commands but didn’t find a way to regenerate the content of this directory. Is there a solution?



Hi @fmarcia,

The files that need to be placed there are different every single time. Thus, having a copy of previous versions is not particularly helpful. The certificate authority will tell the client which files to create, and the files will be created in response to that.

If you get a particular error, please let us know what it is!

Note that the requested files need to appear on each individual domain that you want a certificate for, so they probably should not all be placed in the same directory, but instead under the corresponding webroot directory for each domain.

Thanks for your quick answer, @shoen

My setup already uses several domains with a single certificate (these domains are just kind of aliases for the same server) so using only one location is ok.

Do you mean that, if I append 2 more domains with certbot certonly --expand --webroot /var/lib/letsencrypt/ -d old1 -d old2 -d new1 -d new2, the content of webroot will be populated again?



The content of the webroot/.well-known/acme-challenge gets populated every time you request any certificate, and then the contents are automatically deleted again. There isn’t anything in that directory that needs to be persisted between certificate requests.

You don’t necessarily need to add new domains in order to obtain a new certificate, unless you’ve reached the identical certificates rate limit.

My concern about the single location is just whether all of your domains’ web sites are in fact served from that location (which would usually suggest that the content of all of the domains’ web sites is identical, which could be true in your situation but isn’t true in most users’ cases).


I could successfully do the job with this command line: certbot certonly --webroot --agree-tos -w /var/lib/letsencrypt --expand -d old1 -d old2 -d new1 -d new2.

All of my domains don’t serve strictly the same content but I managed to normalize access to /var/lib/letsencrypt in my nginx conf.

Many thanks for your help,


Cool, that sounds great! I’m glad it’s working now.

The case where you map a single .well-known/acme-challenge directory into multiple domains’ webroots is a perfectly valid and reasonable approach, although many of our users on this forum seem to consider it pretty advanced because they don’t have that much experience with nginx configurations.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.