There are many reasons why you want to protect a subdomain or directory from the public. You could be working on a new version of your website; you might want to add an extra layer of security to an in-house application like your CRM system. A good way to do this is to add a HTTP password. You can do thie either by editing a .htaccess file, or by using the "Directory Privacy" interface in cPanel.
There's also many reasons why you might want that same area to run HTTPS, which means you need a valid SSL certificate. If you want one of our free certificates from Let's Encrypt, then the Let's Encrypt servers have to be able to get past the HTTP password so they can read a validation token from a folder under the .well-known folder on your server.
If you want both to work, you'll need to add a .htaccess file under the .well-known/ directory that contains these lines:
AuthType None AuthName "None" Require all granted Satisfy Any Allow from all
This will allow full access to .well-known, but since that path is only used by Let's Encrypt to write a temporary validation file the folder contains nothing of interest.