If you're struggling setting up Let's Encrypt on some custom server setup of yours - look no more.
When it comes to tech I'm the kind of guy who likes something to be just the way I want it. Of course I might stop with some intermediate decision, but it will bug me until in days or months I still do it just the way I see it.
I have a home server running few VMs with few services and websites on them. Recently in order to simplify my setup that grew over the last few years I started consolidating all the domains I have been using and moving them onto the subdomains of one of them.
I like having SSL everywhere I can. Either it's the lock icon in the address bar what makes it special, or just the basics of Internet security I try being part of. In any case, if you're hosting any kind of web service yourself, not really depending on your setup you can get SSL for free from a trusted Certificate Authority like Let's Encrypt. And with the help of CertBot it's really easy. Unless you're like me and don't look for the easy way π
There are many 1st and 3rd party manuals online on how to install Let's Encrypt or a SSL certificate from another issuer. The problem is that they are usually written for people who has their domain in question handled by Apache on the 80-th port. Which probably matches 95% of the use cases, but not mine. Except using not the standard 80 port I run multiple domains and subdomains on one server in multiple server blocks and configurations.
I was getting problems with using regular CertBot's commands for a Nginx+Ubuntu 16.04 setup. I didn't need the bot to setup my configurations since I did that myself, so I used
sudo certbot --nginx certonly
or even
sudo certbot certonly
But that didn't help, I was getting 404 errors on the ACME challenge. I thought my custom port was to blame as probably CertBot is setup to work only with the 80-th port so it couldn't find needed files there since I am using another port. As it turned out the port wasn't to blame.
The real issue was that CertBot was looking for files in a wrong folder on my VM's drive. Turns out if you don't specify it explicitly, the bot looks for the files in predefined paths, which in my case also were custom π
That's where a handy --webroot option comes in:
certbot certonly --webroot -w /var/www/example.com/test/ -d test.example.com
And that's how I got a shiny lock icon on one of my new subdomains.
For more info on the --webroot (and other) options you can read in the official Certbot user guide.