Webroot subdirectory


I’m trying to use let’s encrypt on a server for which I can’t write to the webroot, only the ‘static’ subdirectory. Is there a way I can run the letsencrypt installation script and have the ./well-known folder inside a directory instead of right at the root?



No, /.well-known has to be at the top level for policy reasons, because it’s meant to confirm that you have control over the webserver. The idea is to prevent people who can only create content elsewhere on a webserver from getting a cert for the webserver’s domains, because the cert is only meant to be issued for someone who is allowed to speak for the domain as a whole (in some sense).

Maybe you could use some other verification method, like the new DNS verification?


Makes sense. I was able to get it working by using the manual option as described here


Can you point me to the DNS verification challenge documentation? I think that might be a better option the next time around.



The documentation for writing something yourself is at https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#dns

I’d suggest using one of the alternative clients some of which include DNS verification. I know that the two bash scripts work for DNS verification, so for automation on the same server I’d suggest LetsEncrypt.sh or for automation on a remote server getssl.