nginx Let’s Encrypt authentication for reverse-proxy sites

So 06 Dezember 2015
By Uli Köhler

In Linux

Problem:

You have an nginx host that is configured as reverse-proxy-only like this:

server {
    server_name  my.domain;
    [...]
    location / {
        proxy_pass http://localhost:1234;
    }
}

For this host, you want to use Let’s Encrypt to automatically issue a certificate using the webroot method like this:

letsencrypt certonly -a webroot --webroot-path ??? -d my.domain

The reverse-proxied webserver does not provide a webroot to use for the automated autentication process and you want to keep the flexibility of updating the cert at any time without manually modifying the nginx configuration.

Solution:

Let’s Encrypt uses the /.well-known directory to communicate with the ACME server. This means that you only need to perform two simple steps:

  • Create a new (empty) webroot directory where the Let’s Encrypt software can place the authentication info
  • Configure nginx to use said webroot directory for the /.well-known path instead of the reverse proxy.

Assuming you created the webroot directory in /var/my.domain.webroot, you could use this config block inside the server blocK:

location /.well-known {
    root /var/my.domain.webroot;
}

Then, restart nginx and use Let’s Encrypt like this:

letsencrypt certonly -a webroot --webroot-path /var/my.domain.webroot -d my.domain

You can share the webroot directory with other domains.