2.1 KiB
WELLKNOWN
With http-01-type verification (default in this script, there is also support for dns based verification) Let's Encrypt (or the ACME-protocol in general) is checking if you are in control of a domain by accessing a verification file on an URL similar to http://example.org/.well-known/acme-challenge/m4g1C-t0k3n.
It will do that for any (sub-)domain you want to sign a certificate for.
At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).
letsencrypt.sh has a config variable called WELLKNOWN, which corresponds to the directory which should be served under /.well-known/acme-challenge on your domain. So in the above example the token would have been saved as $WELLKNOWN/m4g1C-t0k3n.
If you only have one docroot on your server you could easily do something like WELLKNOWN=/var/www/.well-known/acme-challenge, for anything else look at the example below.
Example Usage
If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.
An example would be to create a directory /var/www/letsencrypt and set WELLKNOWN=/var/www/letsencrypt in the scripts config.
You'll need to configure aliases on your Webserver:
Nginx example config
With Nginx you'll need to add this to any of your server/VHost config blocks:
server {
[...]
location /.well-known/acme-challenge {
alias /var/www/letsencrypt;
}
[...]
}
Apache example config
With Apache just add this to your config and it should work in any VHost:
Alias /.well-known/acme-challenge /var/www/letsencrypt
<Directory /var/www/letsencrypt>
Options None
AllowOverride None
# Apache 2.x
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
# Apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>