Let’s Encrypt is an incredible, FREE, service that allows you to get trusted SSL certificates for your website. The certs expire every 90-days but what is great is that there are a lot of tools for auto-renewing the certificate without you ever having to touch anything on your server… until that process breaks.
Case-in-point: If you are running a Drupal 7 and are using the Apache Rewrite module (you should be…) then the default .htaccess file supplied with Drupal 7 core will block all access to hidden folders. (folders that start with a “.”) This is a problem for Let’s Encrypt because the auto-renew process generates a temporary key file that gets placed in a hidden folder on your web server that the Let’s Encrypt system has to be able to reach publicly (on port 80) in order to validate your server and fulfill your renewal request. Thankfully, another member of the Drupal community has already written the rewrite condition rule that needs to be placed in your .htaccess file to allow access to just the hidden folder required by Let’s Encrypt.
Here is the link:
https://www.drupal.org/node/2850253
The following is copied directly from the link above (in case above link ever stops working…) with some minor changes:
—————————-
Posted by drbeaker on 6 Feb 2017 at 21:42 UTC
The default .htaccess blocks .well-known access
I use automatically generated SSL certificates for my site but they stopped working. It seems that the following lines of the Drupal .htaccess file blocks access to .well-known/acme-challenge/ which is needed for automatic domain validation.
I have fixed it by adding the following RewriteCond
This allows access to the .well_known folder but denies all other dot-paths.
—————————-
This fix sorted out the renewal for me!