Just what I was after too!
Unless I missed something, I don’t think there was already a mix of manual mode and webroot, so I make a really simple patch.
1 Like
It’s also worth mentioning file permissions. When using it last night, it took a few attempts as letsencrypt-auto created files and directories as root:root with mode 700/600 - which meant Apache returned a 403. I had to umask 022 before running LE-A, and then it was fine.
I’ve yet to look for command line flags to set file mode or owner; as LE-A does sudo, I can’t immediately have it run as the Apache daemon user (although I suspect I can change scripts to make that work, that’s something to look at on another day).
A little assistance requested in troubleshooting what I am doing wrong.
Presently I can issue this command after stopping my webserver to free up the necessary ports:
./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory -d hoshisato.com -d www.hoshisato.com --agree-dev-preview --agree-tos --verbose certonly
However, when I attempt to use webroot, I end up getting the fake CA, so I think I might be doing something wrong with the command:
./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory -d hoshisato.com -d www.hoshisato.com --agree-dev-preview --agree-tos -a webroot --webroot-path /var/www/vhosts/hoshisato.com/public_html --verbose certonly
I’ve tried a few variations with the accepting agreements and adding the email flag, but still get the fake CA. was hoping could show the right syntax I’m looking for.
Thank you!
–… Archer
problem is you’re running letsencrypt-auto and not letsencrypt
for my webroot authentication https://community.centminmod.com/posts/20509/ i use the following with custom --user-agent passed onto LE servers for tracking my Centmin Mod integration 
You can remove --user-agent if you are not using it
letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/le10.http2ssl.xyz/public -d le10.http2ssl.xyz auth
contents of /etc/letsencrypt/webroot.ini which is auto populated and created the first time it’s run when auto generating my nginx vhosts
# webroot.ini general config ini
rsa-key-size = 2048
# Always use the staging/testing server
#server = https://acme-staging.api.letsencrypt.org/directory
# for beta invitees
server = https://acme-v01.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = myvalid@emailaddy.com
# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True
authenticator = webroot
As Letsencrypt client is being continually updated, I also always update the client before running the client as well 
2 Likes
Thank you eva2000!
When I read this, I face-palmed myself lol. Thank you for the example, it helps me greatly 
--.. Archer
NP, you are welcome 
1 Like
This post needs an update.
1 Like
Update: 2nd December 2015
The instructions at the start of this thread are outdated.
Check out the code and install:
cd /usr/local
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/
./letsencrypt-auto
Get a cert:
/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot \
--webroot-path /var/www/example --renew-by-default --email \
example@example.org --text --agree-tos --agree-dev-preview -d \
site.example.org -d www.site.example.org
3 Likes
How about editing the start post directly instead of just linking to another post?
1 Like
This looks really interesting! I have a setup w/ a Django site on Heroku. Another thread [ Let's Encrypt and Heroku [Solved] ] mentioned near the end that --web-root should replace --manual to facilitate autorenewal.
But part of the process that lets --manual work is that the prompt stops halfway through, tells us the verification response expected [a string response at a path], and gives us time to do a deploy of the file at that path. Does --web-root allow us to stop halfway through somehow so we can do a similar verification deploy?
No, webroot creates the file itself at that location without pausing, assuming you tell the client where it can be created via -w and that the client has permission to write files there that the webserver will serve.
1 Like
Hey Leliana!
I’m trying to setup some certs using webroot but I didn’t think that it needed to be able to access the file using ssl. Would this work with just the port 80 block? If not, feel free to ignore my comment, I’m pretty new to this world.
Thanks,
Tom