Drupal version’s 7 and 8 (I haven’t checked others) contain a line in the default htaccess file that blocks hidden files and folders (beginning with a dot), this results in authentication attempts to the .well-known folder for the webroot authentication method. I was seeing unauthoized (403) failures when running letsencrypt-auto.
The specific line from the Drupal .htaccess is:
RewriteRule “(^|/).” - [F]
If I comment this line out I am able to complete the webroot authentication fine. I suspect there is an override to this possible. I like the additional security provided by this line (keeps people from poking around in my git repositories and protects htaccess itself, so I don’t want to leave this line commented.
Curious if anyone has found a work around for this issue.