Certbot - Recipes

Table of Contents


How it works


  • writes a challenge into a directory specified in a configuration file or passed as argument. Pass the webroot as argument, certbot will write the challenge into <webroot>/.well-known/acme-challenge/
  • tells their server to perform a request for the challenge file on the website for which you are trying to obtain the certificate (e.g. something along the lines of: https*://<website>/.well-known/acme-challenge/<challenge_just_created>
  • if the challenge succeeds, it emits the certificate and stores data in a configuration file for further renewals

How to renew certificates

Setup a Cron Job

This is the solutions suggested by Let’s Encrypt. Somehow I cannot manage to have the cron job working (Environment? Path? Who knows).

So, while trying to solve the issue, the two options below are those I use.

By hand, before certificate expiration

sudo su
certbot renew

By hand, after certificate expiration

Renewing certificates after expiration is a bit trickier, especially if your configuration:

  1. redirects all traffic to https and you did not add an exception for serving .well-known/acme-challenge from http. In fact, if all traffic is redirected to https, certbot fails, since it tries to load a challenge from a website with an invalid certificate and the request fails.
  2. you are trying to renew a certificate for a web app and you did not set a special rule to serve files from .well-known/acme-challenge.

So, if you are like me, namely not smart enough to have a configuration which manages these cases, the solution is as follows:

  1. Change the configuration so that:
    • It responds to http (e.g., comment redirects to https).
    • It makes https://<webroot>/.well-known/acme-challenge/ visible on the Internet; see example rule below for Nginx. The rule is most often needed for webapps.
  2. Restart the server
  3. Launch certbot renew
  4. Restore the configuration
  5. Restart the server
  6. Add a reminder to renew, next time, before expiration
  7. Miss all reminders and warnings Let’s Encrypt sends, miss the reminder you set at step 6; start again from step 1.

    location ^~ /.well-known/acme-challenge/ {
        alias /srv/http/.well-known/acme-challenge/;
        try_files $uri =404;