Let’s encrypt has become easier – avoid re-validation by rolling over within 60 days and avoid web server acme certificate protocol permission issues

The latest certbot-auto tool comes with a new feature (or I must have missed it 3 months ago) that spawns up a temporary web server on port 443.  This is a huge improvement IMHO as it avoids the permissions hassle you can have on a security-hardened web server installation (be it Apache, IIS, Nginx, …).  The acme way of putting a file somewhere in your virtual host directory for domain validation can be troublesome.

Now it boils down to turning off your web server (to free port 443) – running the auto-certbot, copying over the 2 pem files to the appropriate web server location for your use case and start the web server again, which can all be done in a matter of seconds…

apache example:

  1. apachectl stop
  2. certbot-auto certonly and ignore any warnings and choose option 1 (spin up a temporary web server) – you can now even combine multiple subdomains in one certificate (subject alternate names, for example, resulting in: 
  3. copy over the pem files to the appropriate location – see a previous blog post for an example
  4. apachectl start

This can be easily scripted for any  web server AND if you do it within 60 days (so at least 30 days before your cert expires) the validation step is not needed (according to the official Let’s encrypt documentation their domain validation cache policy can vary…)


Step 2 can be simplified by adding additional command line parameters for scripting purposes…

Combine Let’s encrypt with cheap domain name providers and you are up and running for 10 dollars a year…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.