How to convert from standalone to webroot mode (using nginx) for certificate renewal via certbot

To get the Let’s Encrypt certificate in standalone mode, certbot needs port 80 to be available, leading to stop the webserver each time before we start the renewal process. The other way of getting and subsequently renewing the certificate is through webroot mode. In webroot Let’s encrypt certificate is obtained by writing to the webroot directory of an already running webserver. Stopping the webserver is not required here. Therefore we instead choose the webroot mode to get the certificate.

In case someone did the setup in standalone mode, (which I did for one of my servers), this is how you can move to webroot.

Update the renewal script at /etc/letsencrypt/renewal/yourdomainname.conf , from :

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/yourdomainname
cert = /etc/letsencrypt/live/yourdomainname/cert.pem
privkey = /etc/letsencrypt/live/yourdomainname/privkey.pem
chain = /etc/letsencrypt/live/yourdomainname/chain.pem
fullchain = /etc/letsencrypt/live/yourdomainname/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = xxxxxxx
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory

to :

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archiveyourdomainname
cert = /etc/letsencrypt/live/yourdomainname/cert.pem
privkey = /etc/letsencrypt/live/yourdomainname/privkey.pem
chain = /etc/letsencrypt/live/yourdomainname/chain.pem
fullchain = /etc/letsencrypt/live/yourdomainname/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
renew_hook = systemctl reload nginx
account = xxxxxxxx
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
yourdomainname = /var/www/yourdomainname

In the newer configuration, we changed the authenticator field from standalone to webroot and added the [[webroot_map]] section. We also added a renew_hook so the nginx configuration gets reloaded every time after the renewal. The newer configuration assumes that you already have .well-known location set up in your nginx configuration.

To check if the new configuration is running successfully run this command

certbot renew --dry-run