Code Integrity + Let's Encrypt .well-known/acme-challenge/.htaccess


at the end of the installation and configuration all needed tools / option I caught the integrity error

Technical information

The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix


  • core
      • .well-known/acme-challenge/.htaccess

Raw output

[core] => Array
[EXTRA_FILE] => Array
[.well-known/acme-challenge/.htaccess] => Array
[expected] =>
[current] => d1c54aa5adc100187bee69c06d79c6a9a54dc6338c398c21c8dd48c8fbdfd72a2f2ca73433ae5bf4255a61c6d2806ba8ba3fff12d3e677273345eea85ed47bc5

How can I solve that problem with Apache + PHP 7.0 installation?

Regards + Thanks in advance

The preferred way is to do this in your apache-config and place the acme-challenge folder outside the document root of Nextcloud:

E.g: if Nextcloud is in /var/www/nextcloud, you could put the challenges somewhere else (untested)
Alias /.well-known/acme-challenge /var/www/acme-challenge

sadly you dont always have a chance to do that. control panels like cpanel that can do LE automatically always put the wellknown into the doc root, and the users can ultimately do nothing against it, since the hosters usually dont care and the users cant get cpanel to do anything as they only take their customers

These panels can be helpful but you certainly loose flexibility. I’m not sure about the plans of the developers and how much effort it would be to put there exceptions and make sure that nobody places malicious code there.

In reality it is not a real problem for you either. Nextcloud still works, it shows you a warning that there is some code that does not belong to Nextcloud, so you can check this code by yourself and decide that you are ok with it.

Aside from the fact that lose in this case is written with just on o, these control panels while they give less flexibility to an admin, for a hoster that’s probably pretty much the only way for having them customers to do stuff without needing to call support all the time, it goes from relatively simple things like setting HTTPS certsm to a completely automation of AQUIRING those, to switching PHP versions and way too many more things to list.

also do I need to note that it’s part of an IETF RFC?

well partially it doesnt break the basic functionality. BUT this thing will totally block an update for nextcloud.

The automatic updater. Feel free to propose a solution that could work for everybody. One could imagine that the content of .well-known directory is copied somewhere to avoid problems of interfering code and copy it back afterwards. But that is stuff you have to discuss with the developers.

Current situation is that on own hosted solutions, you can easily place the .well-known-stuff outside the Nextcloud folder (should be compliant with the RFC). With hosting tools that can be difficult, you need to open a feature request on the update tool (and somehow argue because previous request were closed).

actually there apparently seems to be one thing that is still open.