Webroot plugin and server configuration


Hi friends,
reading the latest certbot documentations at Getting certificates -> webroot, for using the webroot plugin it seems essential to configure the web server as suggested:

Note that to use the webroot plugin, your server must be configured to serve
files from hidden directories. If /.well-known is treated specially by
your webserver configuration, you might need to modify the configuration
to ensure that files inside /.well-known/acme-challenge are served by
the webserver.

the documentation does not seem to me very clear on this aspect,
would you be kind enough to clarify this step? In my case using Apache2.

Many thanks!


You shouldn’t have to do anything, that’s only relevant if something has changed the config from the default.


Does your configuration treat hidden directories special? No? What needs to be clarified then? Because it should just work… :stuck_out_tongue:


Ah, ok.
…because on some user guide it’s shown:
adding this configuration snippet on “/etc/apache2/conf-available/”:

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
    Options None
    AllowOverride None
    ForceType text/plain
    # avoid access to anything not resembling a challenge
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" 

Is this exceeded?

Thanks again!


The default apache configuration used by all mainstream distributions (Debian, Ubuntu, RHEL/CentOS and variants) does not prevent files in a hidden directory (i.e. one starting with a dot) from being served. So unless you’re doing anything special in your configuration, the above snippet won’t be necessary.

Luckily, this is quite easy to test. Just put a file in your DocumentRoot under .well-known/acme-challenge and try to visit that path with your browser. If it works, no need to add anything.


That piece of Apache configuration is only necessary if you want to use a single webroot directory for all domains on your server. This makes it easier to use the webroot plugin, because otherwise you would need to enter multiple -w attributes for each single document root path.

Ofcourse, if you’re just getting a certificate for one domain and with just one document root, that step isn’t necessary.


This is the point.
Remains for me unclear what does certbot with the webroot. Does it check the existence of each domain or simply it verify the paternity of the server?

Anyway, having this kind of Apache server structure:


Could be useful set as “webroot” the letsencrypt directory for all domains as below?


And eventually, could you confirm if with the above snippet I should create a special web address useful for letsencrypt to verify the server paternity (question before)?
If so, it’s very very difficult for me understand why not always use this method faster than specify many many times different webroot paths.

Many many thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.