[SOLVED] Let's Encrypt and .htaccess

Hi all,

I want to ask for a Let’s Encrypt certificate but the answer is that it can not access .well-known foldder.

If I remove the /var/www/html/.htaccess the certificate is OK.

I goggled a lot and the best answer I found was to whitelist the .well-known foldder.
- Some people say it will also allow everyone to acces the folder and maybe do suspicious actions.
- Some people say to modify the .htaccess file in the Web root directory, other to include a .htaccess file in the .well-known foldder,
- etc…

What is the recommendation of NethServer team?

Any suggestions appreciated,

Michel-André

Here is my /var/www/html/.htaccess

# ************************************** 
# Permalinks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# **************************************
# Protect wp-config.php
#
<Files wp-config.php>
 order allow,deny
 deny from all
</Files>

# **************************************
# Protect .htaccess
#
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

# **************************************
# DIRECTIVES FOR APACHE
#
# Permit to follow links
Options +FollowSymLinks

# Do not show content of folders
Options -Indexes

# **************************************
# Included by Wordfence
#
# Wordfence WAF
<IfModule mod_php5.c>
        php_value auto_prepend_file '/var/www/html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
</IfModule>
</Files>
# END Wordfence WAF

It seems you need the .htaccess file because of wordpress/wordfence.
Do you use the module or did you install wordpress to /var/www/html ?

Hi Markus,

Thank you for your fast reply.

I copied all the files from the SME Primary/html to NS /var/www/html.
I ajusted the path in .htaccess, wordfence-waf.php, and wp-config.php.
mysqldump the original DB from SME, copied it to NS.
With MariaDB102, I created the: DB, user, GRANT rights, FLUSH PRIVILEDGES in NS.
I imported the DB with: mysql102 DB < DB.imported.
In wp-config.php I added lines for relocate.
In wp-config.php I changed the host to 127.0.0.1:3312 to be able to use MariaDB102.

All is working fine with the site and the eCommerce - I bought something, etc.

Michel-André

Does the wordpress site work without the .htaccess file?

Maybe it helps if you add the content from /etc/httpd/conf.d/letsencrypt.conf to the .htaccess file?

Hi again Markus,

Thank you again for your fast reply.

I modified the directive AllowOverride None to AllowOverride All in /etc/httpd/conf in <Directory “/var/www/html”> so Apache will be able to read /var/www/html/.htaccess and apply the directives it will see in it (I have to do that so the permalinks will be read OK).

For the migration of WordPress I tested it with the extension Duplicator but it is faster with the manipulations in my previous reply because I had a few Web sites to migrate.

Michel-André

You may try to comment the Options line in the .htaccess file:

#Options -Indexes

Hi Markus,

I woukd like to keep the “Options -Indexes” for security reason as it does not show the content of a directory if no index.??? is present.

But, new development.

Shame on me: the owner of the .well-known folder was root that I changed for -R apache:apache .well-known.

I created an index.html file in .well-known and the browser was able to read it without problem.

I also created an index.html file in .well-known/acme-challenge but the browser was not able to read it and received:
# Forbidden
You don’t have permission to access /.well-known/acme-challenge on this server.

I will try something else with the help of Google…

Michel-André

What about using a virtual host and move wordpress from /var/www/html to the vhost location /var/lib/nethserver/vhost/<WORDPRESS_VHOST> ?

Did you try to import your wordpress to the Nethserver Wordpress module?

Another way would be to use a config file instead of .htaccess.

Hi Markus,

I was desperate to find a solution…

I must admit that you are not among the greatest anymore, you are THE greatest!

Your suggestion to use config.file is THE SOLUTION.

Original file: /etc/httpd/conf.d/letsencrypt.conf

Alias "/.well-known/acme-challenge/" "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/.well-known/acme-challenge/">

    Require all granted
    Options -Indexes -FollowSymLinks
    AllowOverride None

</ Directory>

Changed to:

Alias "/.well-known/acme-challenge/" "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/.well-known/acme-challenge/">

   Require all granted
   Options -Indexes +FollowSymLinks
   AllowOverride All

</ Directory>
  • I created an index.html in /var/www/html/.well-known displaying “Hello from .well-known!”
  • I created an index.html in /var/www/html/.well-known/acme-challenge displaying “Hello from acme-challenge!”

So to make sure that those directives will always be taken care off, even if Let’s Encrypt is updated:

  • I put back the original /etc/httpd/conf.d/letsencrypt.conf.
  • I created the file: /etc/httpd/conf.d/z_well-known.conf with the above modified content
  • Restarted the daemon: systemctl restart httpd
  • With the browser, I went to https://www.FQDN/.well-known and the right file is displayed.
  • With the browser, I went to https://www.FQDN/.well-known/acme-challenge and the right file is displayed.

I added imap.FQDN to the domains.
Requested a certificate.
Total Vicory :tada:

Now with your great suggestion, I will look at config file very closely to understand exactly what I can do with them. They can replace all .htaccess files… https://dev-notes.eu/2017/01/apache-directives-in-config-vs-htaccess/
Also: http://httpd.apache.org/docs/current/howto/htaccess.html#page-header

Again, thank you so much Markus for you support!

Michel-André

PS: There were typo errors: no backquote [`] are needed in the file.:blush:

1 Like