.well-known dot prefix bloked URL


#1

Hi,

I tried to get a certificate for my website hosted for free by Awardspace.com. The http challenge wouldn’t work because they’re blocking the URLs with folders containing a dot prefix. I read that it’s a common practice. .htaccess is limited to a few basic functions and of course they don’t give access to the server configuration files.
I also can’t do the DNS challenge because of my webhost’s limited options.

Is there a way to change the challenge URL? The topics on the subject don’t give answers working for me.

I’m afraid I’ll have to continue running my website with users giving their password on a non https page.


#2

No, you can’t change the challenge URL to not have a .well-known prefix, it’s deliberately chosen the way it is.

Since you say you can’t change the server configuration you would never have been able to install a certificate anyway without help from Awardspace.

Many hosting providers these days offer Let’s Encrypt as a free choice when setting up or configuring a site they host. You could ask Awardspace if they’re willing to do that too.


#3

The .well-known part of the verification URL was chosen because it is a bit “special”, in that it is reserved for purposes like this (see RFC 5785 for more details). Allowing the client to chose the validation path would also be a huge security issue which could lead to misissuance if an attacker is able to upload files in certain directories on a domain (as opposed to every directory, which should only be possible for the owner - or you have bigger problems :smile:).

I’m afraid if DNS-based validation isn’t an option for you either, there’s not much you can do to get a certificate from Let’s Encrypt right now. If your web host allows you to upload any certificate and key for your site, you might be able to get a free certificate from StartSSL or WoSign instead.


#4

If you can use .htaccess to redirect from .well-known to somewhere you can serve files from, then you have a chance. Otherwise you’ll have to change to a different hosting company or use another CA.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.