You have two modes. First is very simple but hard to maintain and sometimes results in stopped web server (apache/nginx/…) and never re-run again. Second is more difficult, but it is the one you want.
works like this: stop webserver, run certbot and listen on :80 to prove you're the owner of the website, start webserver. The trap is obvious. If you try to automatize it into a cron script it could hang on certbot thus never starts webserver again. Here is on-line command
certbot certonly -d www.mydomain.cz --pre-hook="service nginx stop" --post-hook="service nginx start"
certbot renew --pre-hook="service nginx stop" --post-hook="service nginx start"
1. You create some dir /var/www/I/like/it/here
2. Add to your website or many websites an exception
Nginx
location /.well-known {
root /var/www/I/like/it/here/;
}
Be careful, nginx appends the location itself. Here it adds .well-known to the /i/like/it/here/.
Apache2:
alias "/.well-known" /var/www/letsencrypt/.well-known
<directory "var/www/letsencrypt">
Allowoverride None
Options MultiViews
</Directory>
3. When you call certbot with webroot parameter
certbot certonly --webroot -d novyweb.starlab.cz -w /var/www/letsencrypt/
here is the HTTP GET code what the remote server asks for:
GET /.well-known/acme-challenge/Rrc-EMcYmhRM7ETvn8Hs8TcAh9FgHiUAxfkoHEjX7Kc HTTP/1.1 Host: novyweb.starlab.cz User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org) Accept: */* Accept-Encoding: gzip Connection: close
4. And renew is easy allways the same
certbot renew --webroot -w /var/www/I/like/it/here
/usr/src/certbot-auto certonly --manual --preferred-challenges=dns --email firma@example.cz -d example.com -d *.example.com
Proxy goes first then aliases. You have to create an exeption for .well-known. Showing just apache2 config line
ProxyPass /.well-known !