This is the procedure for configuring Apache HTTP Server and Let’s Encrypt to use the alias-based webroot method for the ACME challenge by Let’s Encrypt. The benefit of this over stop of Apache is no downtime.
Be aware, that this method does not work, if some virtual hosts redirects port 80.
Create the webroot directory for the ACME challenge by Let’s Encrypt.
# mkdir -p /usr/local/www/letsencrypt/.well-known/acme-challenge/
# chmod -R 755 /usr/local/www/letsencrypt
# chown -R www:www /usr/local/www/letsencrypt
Edit the virtual host configuration file for Apache.
# nano /usr/local/etc/apache24/extra/httpd-vhosts.conf
Add the global alias to the webroot directory for the ACME challenge by Let’s Encrypt. If the Apache server is hosting HTTP as well as HTTPS sites, then a global alias is best.
Alias /.well-known/acme-challenge/ "/usr/local/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/usr/local/www/letsencrypt/.well-known/acme-challenge/">
AllowOverride None
Options None
Require all granted
</Directory>
Perform a sanity check of the configuration file and restart Apache.
# service apache24 configtest
# service apache24 restart
Switch to webroot method for domains. This can be automated with a script.
#!/bin/sh
for f in /usr/local/etc/letsencrypt/renewal/*.conf; do
sed -i '' \
-e '/^authenticator =/d' \
-e '/^webroot_path =/d' \
-e '/^pre_hook *=/d' \
-e '/^post_hook *=/d' \
"$f"
echo "authenticator = webroot" >> "$f"
echo "webroot_path = /usr/local/www/letsencrypt" >> "$f"
done
Edit the crontab file.
# nano /etc/crontab
Configure automatic renew by Let’s Encrypt. In this example, every Monday at 13:13.
13 13 * * 1 root /usr/local/bin/certbot renew
Activate the change.
# service cron restart