Getting LetsEncrypt certs non-invasively using nginx and webroot

I finally found a nice way to get LetsEncrypt certificates integrated with websites behind a reverse-proxy.

Problem: I don't want certbot messing with my server configs, and I don't want to shut down my main web server just so I can get a cert using --standalone.

The way Nginx interprets location and root directives makes it really easy to solve this problem. Put a location for .well-known into your server config for non-SSL HTTP:

server {
    server_name           ;
    listen                          80;

    location / {
        rewrite                     ^(.*)   https://$host$1;

    location /.well-known/ {
        root /srv/;


mkdir /srv/
certbot certonly --webroot -w /srv/ -d

Certbot will now place the credentials somewhere under /srv/, nginx will serve it correctly, authentication will succeed and everyone will live happily ever after. No configuration fiddlements, no shutting down your server, it just freaking works -- and you can totally do that on a reverse proxy without the actual app ever knowing about it.


I recently had to do it on an Apache2 server. It works similarly, but the Alias directive has to include the .well-known path:

Alias /.well-known /srv/

The rest of the procedure works the same way.