Using the webroot domain verification method

Just what I was after too!

Unless I missed something, I don’t think there was already a mix of manual mode and webroot, so I make a really simple patch.

GitHub Issue with link to patch.

1 Like

It’s also worth mentioning file permissions. When using it last night, it took a few attempts as letsencrypt-auto created files and directories as root:root with mode 700/600 - which meant Apache returned a 403. I had to umask 022 before running LE-A, and then it was fine.

I’ve yet to look for command line flags to set file mode or owner; as LE-A does sudo, I can’t immediately have it run as the Apache daemon user (although I suspect I can change scripts to make that work, that’s something to look at on another day).

A little assistance requested in troubleshooting what I am doing wrong.

Presently I can issue this command after stopping my webserver to free up the necessary ports:
./letsencrypt-auto --server -d -d --agree-dev-preview --agree-tos --verbose certonly

However, when I attempt to use webroot, I end up getting the fake CA, so I think I might be doing something wrong with the command:
./letsencrypt-auto --server -d -d --agree-dev-preview --agree-tos -a webroot --webroot-path /var/www/vhosts/ --verbose certonly

I’ve tried a few variations with the accepting agreements and adding the email flag, but still get the fake CA. was hoping could show the right syntax I’m looking for.
Thank you!

–… Archer

problem is you’re running letsencrypt-auto and not letsencrypt

for my webroot authentication i use the following with custom --user-agent passed onto LE servers for tracking my Centmin Mod integration :smile: You can remove --user-agent if you are not using it

letsencrypt -c /etc/letsencrypt/webroot.ini --user-agent centminmod-centos6-webroot --webroot-path /home/nginx/domains/ -d auth

contents of /etc/letsencrypt/webroot.ini which is auto populated and created the first time it’s run when auto generating my nginx vhosts

# webroot.ini general config ini

rsa-key-size = 2048

# Always use the staging/testing server
#server =

# for beta invitees
server =

# Uncomment and update to register with the specified e-mail address
email =

# Uncomment to use a text interface instead of ncurses
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True

authenticator = webroot

As Letsencrypt client is being continually updated, I also always update the client before running the client as well :wink: :slight_smile:


Thank you eva2000!

When I read this, I face-palmed myself lol. Thank you for the example, it helps me greatly :smile:

–… Archer

NP, you are welcome :smiley:

1 Like

This post needs an update.

1 Like

Update: 2nd December 2015

The instructions at the start of this thread are outdated.

Check out the code and install:

cd /usr/local
git clone 
cd letsencrypt/

Get a cert:

/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot \ 
--webroot-path /var/www/example --renew-by-default --email \ --text --agree-tos --agree-dev-preview -d \ -d

How about editing the start post directly instead of just linking to another post?

1 Like

This looks really interesting! I have a setup w/ a Django site on Heroku. Another thread [ Let's Encrypt and Heroku [Solved] ] mentioned near the end that --web-root should replace --manual to facilitate autorenewal.

But part of the process that lets --manual work is that the prompt stops halfway through, tells us the verification response expected [a string response at a path], and gives us time to do a deploy of the file at that path. Does --web-root allow us to stop halfway through somehow so we can do a similar verification deploy?

No, webroot creates the file itself at that location without pausing, assuming you tell the client where it can be created via -w and that the client has permission to write files there that the webserver will serve.

1 Like

Hey Leliana!

I’m trying to setup some certs using webroot but I didn’t think that it needed to be able to access the file using ssl. Would this work with just the port 80 block? If not, feel free to ignore my comment, I’m pretty new to this world.