My only beef with the Let's Encrypt process is that, by default, the utility wants you to disable your web server in the process of requesting a certificate, so that it can listen on port 80 (or 443) for a verification challenge. I host lots of sites, many of them high-traffic, and that's kind of a deal breaker.
Luckily, the utility has many other very reasonable methods of verification. My favorite is "webroot". From the let's encrypt client documentation:
If you’re running a webserver that you don’t want to stop to use standalone, you can use the webroot plugin to obtain a cert by including certonly and --webroot on the command line. In addition, you’ll need to specify --webroot-path or -w with the root directory of the files served by your webserver. For example, --webroot-path /var/www/html or --webroot-path /usr/share/nginx/html are two common webroot paths.
This option lets us tell Let's Encrypt to place the verification inside an existing web root, and allows it to be served by your current web server. Combine this with some clever
Tags: python linux networking server dns