Allow Certbot Access to Subdirectory with .htpasswd on Apache2

Categories: Coding, security

I was trying to find a way to allow certbot to auto renew, but kept getting verification errors. The error showed that certbot couldn’t get access to /.well-known/acme-challenge/<SOME_HASH>: which was why it was failing.

Turns out, I have a custom WordPress setup which requires .htpasswd authorization. This is to make it so the outside world can’t access my WordPress instance easily because I was hacked in the past. I then generate static files from this WordPress site, which are visible to the public.

So, I need to make this directory visible to the outside world as well. Being wary to grant global access to this subdirectory, I used some regex based on what certbot is actually looking for and came up with:

# Certbot needs to access this dir w/o any auth in order to auto renew
<FilesMatch "\/\.well-known\/acme-challenge\/.*\:$">
    Satisfy any

This uses the Apache2 FilesMatch directive to ensure we’re only granting access to a very specific set of files which match this regex. What I like most is that it forces the filenname to end in a colon, making this hard to get anything with a file extension.

Not too fancy, but it definitely gets the job done. My certbot can now run without a hitch.