1. Tutorials
  2. Let's Encrypt

Let's Encrypt Ssl Using Webroot Authenticator

January 11, 2018
tls-sni challenge disabled

If you try to obtain SSL using sudo certbot --nginx -d mydomain.com -d www.mydomain.com, you might bump into the following error due to tls-sni challenge disabled.

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

NOTE: The above problem can be solved by Upgrading Cerbot to 0.21.1.

Alternatively, you can setup ssl for nginx using --authenticator webroot.

First, setup nginx to handle /.well-known/acme-challenge/* request.

Multiple domains can share their acme-challenge in the same location, either in /usr/share/nginx/letsencrypt or /var/www/letsencrypt.

server {
        ...
        location /.well-known/acme-challenge/ {
                root /usr/share/nginx/letsencrypt;
        }
}

Restart nginx.

sudo service nginx restart

Execute certbot to use --authenticator webroot.

sudo certbot --authenticator webroot --webroot-path /usr/share/nginx/letsencrypt -d www.mydomain.com

Note: the authenticator will create authentication files at /usr/share/nginx/letsencrypt/.well-known/acme-challenge/* and access http://www.mydomain.com/.well-known/acme-challenge/* to retrieve such file for authentication.

Note: /usr/share/nginx/letsencrypt/.well-known/acme-challenge/ is deleted automatically after authentication, whether success or fail.

❤️ Is this article helpful?
Buy me a coffee☕ or support my work to keep this space 🖖 and ad-free.
If you can't, do send some 💖 to @d_luaz or help to share this article.
👶 Apps I built
暖心芽 (WIP) 🌞❤️🌱 - reminder of hope, warmth, thoughts and feelings.
Travelopy - travel discovery and journal
LuaPass - offline password manager
WhatIDoNow - a public log of things I am working on now
By Desmond Lua
A dream boy who enjoys programming and travelling, maker of Travelopy. Follow me on @d_luaz.
This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.