Getting LetsEncrypt certs non-invasively using nginx and webroot

I finally found a nice way to get LetsEncrypt certificates integrated with websites behind a reverse-proxy.

Problem: I don't want certbot messing with my server configs, and I don't want to shut down my main web server just so I can get a cert using --standalone.

The way Nginx interprets location and root directives makes it really easy to solve this problem. Put a location for .well-known into your server config for non-SSL HTTP:

server {
    server_name                     www.example.com;
    listen                          80;

    location / {
        rewrite                     ^(.*)   https://$host$1;
    }

    location /.well-known/ {
        root /srv/www.example.com;
    }
}

Now:

mkdir /srv/www.example.com
certbot certonly --webroot -w /srv/www.example.com -d www.example.com

Certbot will now place the credentials somewhere under /srv/www.example.com/.well-known/yadda/IdontKnow, nginx will serve it correctly, authentication will succeed and everyone will live happily ever after. No configuration fiddlements, no shutting down your server, it just freaking works -- and you can totally do that on a reverse proxy without the actual app ever knowing about it.