Most letsencrypt setups use the webroot plugin to authendicate the domain but I don't like writing temp files to my drive. Letsencrypt provides a standalone solution which can be used to skip that part. In combination with a webserver proxy you can verify all domains pretty easily. You will have to setup the webserver to forward all traffic from location /.well-known/acme-challenge
to localhost port 81.
server {
listen 80;
server_name example.com;
location '/.well-known/acme-challenge' {
default_type "text/plain";
proxy_pass http://127.0.0.1:81$request_uri;
}
# optional: redirect everything else to https
location / {
return 301 https://$server_name$request_uri;
}
}
$HTTP["url"] =~ "^/.well-known/acme-challenge" {
proxy.server = (
"" => ( (
"host" => "127.0.0.1",
"port" => 81
) )
)
}
Install letsencrypt python client using your preferred source.
Run letsencrypt for your domain:
letsencrypt certonly --agree-tos --email webmaster@example.com \
--standalone-supported-challenges http-01 --http-01-port 81 -domains example.com
The flag --http-01-port is found in the man page with the following warning:
The following flags are meant for testing purposes only! Do NOT change
them, unless you really know what you're doing!
Using a configuration file located at /etc/letsencrypt/cli.ini
you can shorten the command down to letsencrypt certonly
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
email = webmaster@example.com
# Uncomment and update to generate certificates for the specified
# domains.
domains = example.com
# Uncomment to use a text interface instead of ncurses
text = True
# Uncomment to use the standalone authenticator on port 443
#authenticator = standalone
standalone-supported-challenges = http-01
# Change http port to 81. A webserver must be configured to redirect the request
# to port 81 for this to work.
http-01-port = 81
agree-tos
expand
keep-until-expiring
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html