Change a letsencrypt SSL certificate to a webroot renewal instead of spinning up a standalone server.

When you first use letsencrypt, or certbot, to add an SSL certificate to a Ubuntu or other linux flavour server it will often install the certificate as a standalone certificate. This could have been because of the guide you followed in the past or you may have an old server that you administer that has standalone certificates in place.

Standalone certificates specifically spin up their own web server in order to check the domain and run through the challenges and install the certificate. This can cause issues when another web server such as Apache or Nginx are already running on port 80 (http) and mean more complex renewal processes need to happen where Nginx needs to be stopped in order to renew a certificate.

Webroot certificates in contrast just need to know where a publicly available folder is in order for it to put up the challenges / files required for the renewal.

You could use an Nginx configuration for example to serve up /.well-known/acme-challenge as a publicly available folder  so that the requests from letsencrypt are routed to a specific destination on the server or within the individual site folder structure.

Either way. I found myself needing to change from a standalone certificate renewal to a webroot style renewal so that i could properly and safely automate the cert renewals.

Thankfully once you have found the right information this is quite straightforward.

in /etc/letsencrypt/renewal/xxxxxxx.co.uk.conf you will find the renewal information for the certificate in question.

If you have a standalone renewal setup then it will likely look like

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/xxxxxxx.co.uk
cert = /etc/letsencrypt/live/xxxxxxx.co.uk/cert.pem
privkey = /etc/letsencrypt/live/xxxxxxx.co.uk/privkey.pem
chain = /etc/letsencrypt/live/xxxxxxx.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/xxxxxxx.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = longstringofnumbersandletters
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

this contains all the info required for the certificate to renew. We want this to use a webroot / publicly available folder to perform the renewal instead of the standalone server so that it can be done via a cron.

we need to change the authenticator to be webroot and we will also need to add in some information for the webroot path and also potentially a webroot map. depending on your setup.

The final config file will look like

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/xxxxxxx.co.uk
cert = /etc/letsencrypt/live/xxxxxxx.co.uk/cert.pem
privkey = /etc/letsencrypt/live/xxxxxxx.co.uk/privkey.pem
chain = /etc/letsencrypt/live/xxxxxxx.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/xxxxxxx.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = longstringofnumbersandletters
authenticator = webroot
webroot_path = /home/client/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
xxxxxxx.co.uk = /home/client/html
www.xxxxxxx.co.uk = /home/client/html

Note the change of the authenticator to webroot

webroot_path with an underscore (this was changed in an older version and used to be a hyphen.) it also seems to require the comma at the end of this line.

Then as we have more than one -d domain when we originally set up the certificate we use [[webroot_map]] to assign potentially different folders for the www and non-www versions of the site. In our case these are the same folder.

Save and run

sudo certbot renew –dry-run

This will check if all the renewals will run. and provide a simulated output.

if all is good you can save and run your certbot renewal by cron.

Note that depending on your webserver you may need to add a deploy hook to the certbot cron renewal to be able to restart the webserver after renewal.

as I am using the Litespeed webserver I added

--deploy-hook "/usr/local/lsws/bin/lswsctrl restart"

to the end of the cron line in /etc/cron.d/certbot

I hope this saves someone some time in the future and have a great day.