Why does a webroot-path have to be supplied?

Hi I’m curious why a webroot-path (path to your code) is required? I don’t recall a time where I needed to point to a path to my code when purchasing and issuing my own cert. I was just curious why this would be needed.

Here is what the help command says but is not entirely helpful on how its used for auth.
–webroot Place files in a server’s webroot folder for authentication

Thanks in advance Ya’ll!

LE looks domain/well-known/acme-challenge/ for challenge file to validate you have control of domain.

Hi @macmichael01

please read the documentation about the http-01 challenge type.

If you purchase a certificate, typically you get a mail (to hostmaster / webmaster etc.) with a long confirmation link you have to click.

This is your mail challenge. Letsencrypt doesn’t use mail challenges.

Thanks for the clarification. I use this declaration in my nginx file and it seems to work fine without supplying a webroot-path.

location /.well-known/acme-challenge/ {
add_header Content-Type text/plain;
return 200 ‘acme-challenge-token’;

Is the token that is sent back through the .well-known path a way for me to perform additional validation? And is this a token that is generated during the initial request for a cert?

token is randomly generated for each subdomain in token1.token2. IIRC LE looks for /.well-known/acme-challenge/token1
and server should reply with token1.token2

Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> . That file contains the token, plus a thumbprint of your account key. Once your ACME client tells Let’s Encrypt that the file is ready, Let’s Encrypt tries retrieving it (potentially multiple times from multiple vantage points). If our validation checks get the right responses from your web server, the validation is considered successful and you can go on to issue your certificate. If the validation checks fail, you’ll have to try again with a new certificate.

How should that work if your ACME client doesn’t know where to save the challenge file?

The token is generated every time you request a cert–initial request, renewal, etc. It isn’t a one-time static token.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.