Letting AutoSSL get past a protected directory

There are many reasons why you want to protect a subdomain or directory from the public. You could be working on a new version of your website; you might want to add an extra layer of security to an in-house application like your CRM system. A good way to do this is to add a HTTP password. You can do thie either by editing a .htaccess file, or by using the "Directory Privacy" interface in cPanel.

There's also many reasons why you might want that same area to run HTTPS, which means you need a valid SSL certificate. If you want one of our free certificates from Let's Encrypt, then the Let's Encrypt servers have to be able to get past the HTTP password so they can read a validation token from a folder under the .well-known folder on your server.

If you want both to work, you'll need to add a .htaccess file under the .well-known/ directory that contains these lines:

AuthType None
AuthName "None"
Require all granted
Satisfy Any
Allow from all

This will allow full access to .well-known, but since that path is only used by Let's Encrypt to write a temporary validation file the folder contains nothing of interest.

  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Fixing Referrer Spam in .htaccess

Are your web analytics full of low quality referrals? If you made the mistake of signing up for a...

Forcing HTTPS

The best way we've found to send requests to HTTPS is this: RewriteEngine on RewriteCond...