A fairly common scenario is that it's fairly easy to set up a site, let symbiosis-ssl do it's thing and swap to HTTPS, and then redirects/rewrites are added to .htaccess or similar which then means that .well-known isn't accessible for verification with Let's Encrypt.
And, if you aren't checking logs, cert expires and so on, this can lead to problems with the certificate expiring unexpectedly, and an effective outage of a site (or sites) before the problem is found, fixed (usually with some edits to .htaccess) a new cert is picked up, Apache reloaded, and things work normally again.
Ideally, http://example.com/.well-known could either be allowed in all cases (overriding .htaccess), or be aliased from elsewhere for all sites (same as http://example.com/webmail, etc), and point to a single unified location, ideally which is easy to find in case someone is using it for something other than symbiosis-ssl.
andrewladlow
commented
5 years ago
A fairly common scenario is that it's fairly easy to set up a site, let
symbiosis-ssldo it's thing and swap to HTTPS, and then redirects/rewrites are added to.htaccessor similar which then means that.well-knownisn't accessible for verification with Let's Encrypt.And, if you aren't checking logs, cert expires and so on, this can lead to problems with the certificate expiring unexpectedly, and an effective outage of a site (or sites) before the problem is found, fixed (usually with some edits to .htaccess) a new cert is picked up, Apache reloaded, and things work normally again.
Ideally,
http://example.com/.well-knowncould either be allowed in all cases (overriding .htaccess), or be aliased from elsewhere for all sites (same ashttp://example.com/webmail, etc), and point to a single unified location, ideally which is easy to find in case someone is using it for something other thansymbiosis-ssl.