Not supported on all platforms though, on my FreeBSD box the only option it gave...

pilif · on Dec 3, 2015

There is an option to run it in a different port which will allow you to reverse proxy to it.

--standalone-supported-challenges http-01 --http-01-port 9999

Will make it listen on port 9999. Their server will only connect to the official ports of course, so you need to reverse proxy

FireBeyond · on Dec 3, 2015

I can understand some of the need for this. On the other hand you could make it trust all privileged ports, which implies root access - but this is a separate concern for other users.

ultramancool · on Dec 3, 2015

Nice, I really like that idea. Any information on what paths I'd need to reverse proxy to it?

merlincorey · on Dec 3, 2015

In NginX you would need the following location (with different contents):

    location /.well-known/acme-challenge/ {
      alias /var/www/challenges/;
      try_files $uri =404;
    }

Snippet from https://github.com/diafygi/acme-tiny documentation.

mei0Iesh · on Dec 3, 2015

You installed py27-letsencrypt from ports? I posted a command in here that I used on FreeBSD and it worked find to register a certificate without disturbing the running web server. The webroot authenticator does work in FreeBSD.

ultramancool · on Dec 3, 2015

I used the git version actually and it complained that it couldn't configure my web server, what's needed to use the webroot authenticator?

pfg · on Dec 3, 2015

It's one of the plugins included with the client. See [1] for more.

[1]: https://letsencrypt.readthedocs.org/en/latest/using.html#web...

ultramancool · on Dec 3, 2015

Yeah, this gets really tedious though because you have to do special configuration for every vhost you want SSL on, nginx doesn't appear to offer a way to do global location directives.

Maybe I'll just write a firewall rule to redirect traffic from letsencrypt IPs over to the standalone client.

makomk · on Dec 4, 2015

I think you can create an include file with all the SSL configuration like cipher lists, Let's Encrypt support etc and just include it once for every vhost that uses SSL. Probably won't save time initially, but it should make changes like this faster in future.