nginx Let’s Encrypt authentication for reverse-proxy sites


You have an nginx host that is configured as reverse-proxy-only like this:

server {
    server_name  my.domain;
    location / {
        proxy_pass http://localhost:1234;

For this host, you want to use Let’s Encrypt to automatically issue a certificate using the webroot method like this:

certbot certonly -a webroot --webroot-path ??? -d my.domain

The reverse-proxied webserver does not provide a webroot to use for the automated autentication process and you want to keep the flexibility of updating the cert at any time without manually modifying the nginx configuration.


Let’s Encrypt uses the /.well-known directory to communicate with the ACME server. This means that you only need to perform two simple steps:

  • Create a new (empty) webroot directory where the Let’s Encrypt software can place the authentication info
  • Configure nginx to use said webroot directory for the /.well-known path instead of the reverse proxy.

Assuming you created the webroot directory in /var/my.domain.webroot, you could use this config block inside the server block:

location /.well-known {
    root /var/my.domain.webroot;

Then, restart nginx and use Let’s Encrypt like this:

certbot certonly -a webroot --webroot-path /var/my.domain.webroot -d my.domain

You can share the webroot directory with other domains.