Install letsencrypt certificates with temporary document root

(while an active apache instance is running)
Use webserver default webroot to generate certificates before setting up vhosts for new domains.

​letsencrypt certonly --webroot -w /var/www/html/ -d example.com -d www.example.com

Advanced setup

You can set up apache to serve ./well-known/acme-challenge/ from a custom directory:

    # letsencrypt cert renewal
    AliasMatch /(.well-known/acme-challenge/.*)$ /var/lib/letsencrypt/$1
    <directory /var/lib/letsencrypt>
      AllowOverride None
      Require all granted
    </directory>

That way all letsencrypt cert install and renewal configuration paths look the same and are easier to remember. Does not save that much time or anything, just feels tidier:

letsencrypt certonly --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com