Why does the acme-challenge subdirectory need to be hidden?

I’ve noticed that some configuration files for nginx and letsencrypt have these lines:

# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
    return 404;

Can someone explain to me why this is more ‘secure’? Is it just because you don’t want random people viewing the ‘acme-challenge’ directory? Is it only relevent if you have autoindex on?

Along the same lines – are there any other ‘gotchas’ I have to look out for security wise?


No secret or sensitive data ever touches acme-challenge. Probably just unfounded paranoia.

I don’t think it has anything to do with being hidden as such, but /.well-known/ is a somewhat-standardized location for a number of services (it’s also used by email autodiscovery, for one example). See RFC 5785.

1 Like

I think @jdwissler was asking about the motivation for the return 404 in this configuration more than about why /.well-known starts with a dot. And I’d also say it’s just someone’s general intuition not to let people see information that wasn’t explicitly intended for them; as @_az mentioned, the contents of this directory in the way that it’s used by Let’s Encrypt won’t actually contain any secrets.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.