Access to dot folders blocked?

Discussion in 'General' started by William L, May 17, 2017 at 5:45 AM.

  1. William L

    William L New Member

    I just started getting errors for a Let's Encrypt SSL certificate renewal via cPanel a few days ago.

    Let's Encrypt requires access to [domain name]/.well-known/acme-challenge/ and, unless I've done something inadvertently, it seems like access to dot folders is now blocked by default.

    See example here:

    http://preprod.phcfarm.com/test/test.txt -> works
    http://preprod.phcfarm.com/.test/test.txt -> 403 forbidden

    The two folders/files above have the same permissions, just different names.

    Has something changed to block access to dot folders? If so, this is breaking Let's Encrypt.

    Thanks!
     
  2. tyler

    tyler Staff Staff Member

    I'm pretty sure it blocks hidden folders by default for security reasons, because they are using htpasswd or htaccess files. Is there a reason why you are using hidden folders for a public webroot? I can take that information to the developer and see what the options are.
     
  3. William L

    William L New Member

    Thanks for your reply, Tyler.

    Yes, the reason I'm using the hidden folder is that Let's Encrypt, which is available via cPanel, uses one during part of the process when SSL certs are renewed. During the process it makes a request for a URL like:

    http://<mydomain>.com/.well-known/acme-challenge/...

    One of mine was last renewed on the 26th of April without any issues. Maybe there was a whitelist for the .well-known folder that no longer exists? I don't know if it's possible for me to override with a local .htaccess config but since this wasn't necessary previously, I thought it better to raise the question.

    BTW, this is the error I'm getting:

    Automatic Let's Encrypt renewal for <mydomain> was attempted and failed.
    This certificate expires on 2017-06-13 19:09:00 -0700 MST.

    Unable to renew certificate: The Let's Encrypt HTTP challenge failed: acme error 'urn:acme:error:unauthorized': Invalid response from http://<mydomain>.com/.well-known/acme-challenge/<redacted> "<!DOCTYPE html>
    <html style="height:100%">
    <head><title> 403 Forbidden
    </title></head>
    <body style="color: #444; margin:0;font:"

    Please contact your web host for more information on how to fix this issue.

    Thanks for your help.
     
  4. tyler

    tyler Staff Staff Member

    Ahh, gotcha. Lets Encrypt is using that directory, you're not placing your webroot there. Let me see what I can find out.
     
  5. William L

    William L New Member

    Ah, yes. Just to confirm, that's correct, the web root is using an ordinary directory. It's a sub directory that is hidden. Thanks!
     
  6. tyler

    tyler Staff Staff Member

    Looks like it's your .htaccess file that is blocking access to those directories.

    # Block access to backup and source files
    # This files may be left by some text/html editors and
    # pose a great security danger, when someone can access them
    <FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>


    # Block access to WordPress files that reveal version information.
    <FilesMatch "^(wp-config\.php|readme\.html|license\.txt)">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>
     
  7. William L

    William L New Member

    Ah, yes. I don't think either of those regexes should match .test or .well-known though. There is another directive just before though that may be the culprit:

    # Block access to "hidden" directories or files whose names begin with a period. This
    # includes directories used by version control systems such as Subversion or Git.
    <IfModule mod_rewrite.c>
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule"(^|/)\." - [F]
    </IfModule>

    Let me look into this later today and make sure the culprit isn't in my local config then.
     
  8. William L

    William L New Member

    Just to close the loop on this, it was the directive above in my local .htaccess config that was causing the issue. I'm still not quite sure what happened as I'm fairly sure it has been in my .htaccess for some time. I've updated the regex to ignore the one specific folder I need access to to avoid the issue.

    Thanks for your help Tyler!
     

Share This Page