Bernhard Scheirle

About Me

Hello, my name is Bernhard.
I'm a software developer and free software enthusiast.

Contact Me


Let’s encrypt everything!


Finally I found some time to set up a Let’s Encrypt certificate for this server.

It's damn easy, even if you dislike Let’s Encrypts Apache auto configuration or web server downtimes.

Auto configuration

To prevent Let’s Encrypt to mess with any of our configuration we will only run it in certonly mode.

No Downtimes

Let’s Encrypts validates with so called acme-challenges that the server requesting a certificate is also legitimate to do so.

Let's say you request a certificate for then Let’s Encrypts will look at for a valid acme-response.

So either Let’s Encrypts modifies your current configuration or starts its own Http server (and therefore you have to stop yours) to reply to the challenge. bad


Luckily it comes with a third way to reply to the challenges. In webroot mode you can specify a path where the acme-challenge should be placed and therefore allows you to use your default web server (In my case Apache).

The command letsencrypt-auto certonly --webroot -w /var/www/letsencrypt -d request a new certificate for and will place the challenges in /var/www/letsencrypt/.well-known/acme-challenge/. Now we only have to tell our web server to serve request for /.well-known/acme-challenge/ from /var/www/letsencrypt/.well-known/acme-challenge/.


For Apache web servers this can be easily done by adding a letsencrypt.conf file to /etc/apache2/conf-enabled/ with following content:

<IfModule mod_alias.c>
    Alias /.well-known/acme-challenge /var/www/letsencrypt/.well-known/acme-challenge

The advantage of such a global alias is, that even if you have multiple (sub-)domains the response to the acme-challenge will work. Also if your (sub-)domain comes already with an own /.well-known/ folder (like e.g. owncloud), this will not break their set up (since we only aliased the acme-challenge subfolder.).

PS: Use the staging environment for testing (include --staging) so you don't run into rate limits while testing. This happened to me and now I have to wait a week before I can finally roll out the new certificate.


There are no comments yet. Why aren't you the FIRST and shout something?

Add a Comment

You may format you comment with Markdown.

Comment Atom Feed