[ivansavz]

The --webroot option doesn't work for my setup, so I need to shutdown nginx for 2-3 seconds and use the --standalone option. I set this as a CRON job that will run every two months. It's not elegant, but it's done.

Here's the modified script using certonly and the --force-renew flag.

    #!/bin/bash
    # Force-renew the "Let's Encrypt" certificates for a given domain
    # Run this as root as a BI-MONTHLY cron job
    export DOMAINS="yourdomain.com,www.yourdomain.com"
    export LOGFILE="/var/log/letsencrypt/renewal_yourdomain.log"

    echo "Stopping nginx temporarily to renvew certificates for $DOMAINS ..."
    service nginx stop

    echo "Calling /opt/letsencrypt/letsencrypt-auto certonly --standalone --force-renew -d $DOMAINS"
    if ! /opt/letsencrypt/letsencrypt-auto certonly --standalone --force-renew -d $DOMAINS > $LOGFILE 2>&1 ; then
        echo "certonly call failed, restarting nginx"
        service nginx start
        echo "LOG info:"
        cat $LOGFILE
        # TODO: email administrator...
        exit 1
    fi

    echo "certonly call succeeded, restarting nginx"
    service nginx start

Note: don't run this as a daily cron job since this has --force-renew...

[schoen]

Do you ever get problems with the socket still being in use after nginx is shut down?

[ivansavz]

Not on the N=1 times I've run the script, but will look out for this in the future.

[ran290]

I'm curious: why doesn't webroot work for your setup?

[ivansavz]

A dynamic script is handling all requests, so there is no "webroot" directory where you can put stuff for them to appear under /

[matt4077]

You could quite easily add a location /.well-known rule to the server, right?

[ivansavz]

Oh yeah, I didn't know about this option. A static dir for /.well-known is a much more elegant solution than shutting down nginx... Thx for the pointer.