Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By drbeaker on
I use automatically generated SSL certificates for my site but they stopped working. It seems that the following lines of the Drupal .htaccess file blocks access to .well-known/acme-challenge/ which is needed for automatic domain validation.
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]
I have fixed it by adding the following RewriteCond
RewriteCond %{REQUEST_FILENAME} !.well-known/
This allows access to the .well_known folder bot denies all other dot-paths.
Others may be able to improve on my solution as I'm no Apache expert. It may be worth changing the install script to allow this access.
Comments
A better solution
Taken from the Drupal 8 .htaccess:
Replace the RewiteRule by
See also issue #2847325: [D7]
See also issue #2847325: [D7] Support RFC 5785 on Apache by whitelisting the .well-known directory.