======Let's encrypt or Certbot======
======How exactly it works.======
You have two modes. First is very simple but hard to maintain and sometimes results in stopped web server (apache/nginx/...) and never re-run again. Second is more difficult, but it is the one you want.

=====First method=====
works like this: stop webserver, run certbot and listen on :80 to prove you're the owner of the website, start webserver.
The trap is obvious. If you try to automatize it into a cron script it could hang on certbot thus never starts webserver again. Here is on-line command 

====First run====
   certbot certonly -d www.mydomain.cz --pre-hook="service nginx stop" --post-hook="service nginx start"
====Renew====
   certbot renew --pre-hook="service nginx stop" --post-hook="service nginx start"
   
   
=====Second method=====
1. You create some dir /var/www/I/like/it/here
  
2. Add to your website or many websites an exception

Nginx  
<code>
  location /.well-known {
     root /var/www/I/like/it/here/;
}
</code>
Be careful, nginx appends the location itself. Here it adds .well-known to the /i/like/it/here/.

Apache2:
<code>        
          alias "/.well-known" /var/www/letsencrypt/.well-known
          
         <directory "var/www/letsencrypt">
                Allowoverride None
                Options MultiViews
         </Directory>


</code>

        
3. When you call certbot with webroot parameter
     certbot certonly --webroot  -d novyweb.starlab.cz -w /var/www/letsencrypt/
here is the HTTP GET code what the remote server asks for:
         
<code>
GET /.well-known/acme-challenge/Rrc-EMcYmhRM7ETvn8Hs8TcAh9FgHiUAxfkoHEjX7Kc HTTP/1.1
Host: novyweb.starlab.cz
User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
Accept: */*
Accept-Encoding: gzip
Connection: close
</code>

4. And renew is easy allways the same
    certbot renew --webroot -w /var/www/I/like/it/here
      
      
===== DNS auth =====
    /usr/src/certbot-auto certonly --manual --preferred-challenges=dns --email firma@example.cz -d example.com -d *.example.com

      
===== Be careful with wsgi proxy ======
Proxy goes first then aliases. You have to create an exeption for .well-known.
Showing just apache2 config line
     ProxyPass /.well-known !
     
     
===== Nice source =====
    * https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8