If you are using custom proxies and daemons to serve your site content, following the recommendation to use our tls-setup.sh to set up free TLS from Let's Encrypt takes an extra step.
When you request a certificate via tls-setup.sh, a temporary file is created in the /home/public/.well-known/acme-challenge directory. Let's Encrypt checks that file by requesting it from your site using the URI /.well-known/acme-challenge/. In most cases, that "just works" because Apache handles it for you. If you have a custom process handling requests for / (i.e., all requests for the site), that won't work. The request will come to your daemon instead, which will likely say "What the 🤬 is this?" and return an error, causing your TLS setup to fail.
You should do one of two things to resolve that, depending on your server type:
- If you are using the Apache 2.4 Generic or Kitchen Sink server type you can create a "None" proxy with the Base URI "/.well-known/" and the Document Root "/.well-known/" to exclude that directory from being sent to the proxy handling the rest of the site.
- If you are using the Custom server type, there's no Apache process to backstop you. So it's up to you to make sure that requests for /.well-known/ serve static content from /home/public/.well-known/. While doing so should be easy, the details depend entirely on your software. We can't advise you on specifics, but in general whatever you are doing for the rest of the site's static content (CSS files, Javascript, images, etc.) should also work for this. Check the software's documentation for more details.
Once this is set up and working, leave it in place. Your certificate will need to be renewed every 60-90 days, and this is part of that process.