nginx Let’s Encrypt authentication for reverse-proxy sites

So 06 Dezember 2015
By Uli Köhler

In Linux


You have an nginx host that is configured as reverse-proxy-only like this:

server {
    server_name  my.domain;
    location / {
        proxy_pass http://localhost:1234;

For this host, you want to use Let’s Encrypt to automatically issue a certificate using the webroot method like this:

letsencrypt certonly -a webroot --webroot-path ??? -d my.domain

The reverse-proxied webserver does not provide a webroot to use for the automated autentication process and you want to keep the flexibility of updating the cert at any time without manually modifying the nginx configuration.


Let’s Encrypt uses the /.well-known directory to communicate with the ACME server. This means that you only need to perform two simple steps:

  • Create a new (empty) webroot directory where the Let’s Encrypt software can place the authentication info
  • Configure nginx to use said webroot directory for the /.well-known path instead of the reverse proxy.

Assuming you created the webroot directory in /var/my.domain.webroot, you could use this config block inside the server blocK:

location /.well-known {
    root /var/my.domain.webroot;

Then, restart nginx and use Let’s Encrypt like this:

letsencrypt certonly -a webroot --webroot-path /var/my.domain.webroot -d my.domain

You can share the webroot directory with other domains.