Here’s a little trick we’re using with nginx and the webroot validator to automate letsencrypt with software that isn’t a webserver. This allows you to validate any domain pointed at your server regardless of whether there’s a website behind it and without having to have a free port 443 for the standalone authenticator.
Create /etc/letsencrypt/webrootauth/
In /etc/nginx/snippets/letsencryptauth.conf
location /.well-known/acme-challenge {
alias /etc/letsencrypt/webrootauth/.well-known/acme-challenge;
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
}
In /etc/nginx/sites-enabled/default (or wherever your default server block is. You DO have one, right?)
server {
listen 80 default_server;
root /etc/letsencrypt/webrootauth;
include snippets/letsencryptauth.conf;
}
server {
listen 443 ssl spdy default_server;
ssl on;
# This can be any cert on your system, it doesn't matter.
# I think the letsencrypt DV accepts a self-signed cert.
ssl_certificate ssl/default/default.crt;
ssl_certificate_key ssl/default/default.key;
root /etc/letsencrypt/webrootauth;
include snippets/letsencryptauth.conf;
}
Then just use the letsencrypt client + webroot authenticator normally with
--webroot-path /etc/letsencrypt/webrootauth
included in the parameters.
You can also include snippets/letsencryptauth.conf in your other server configs to allow using your “global” webroot for them too, it won’t break anything.