If you've ever set up SSL on the IBM i for an Apache server and don't have access to the email addresses listed on the domain registration, you have the option to prove ownership by uploading a file to a folder such as /.well-known/pki-validation.
Once the issuer of the SSL certificate sees this file they can then forward you the SSL certificate for the server.
Well, the problem with this is you normally aren't running anything on port 80 these days other than a redirect to the HTTPS site, and this request is required over port 80 for some reason (HTTP).
So, with a little research and trial and error I was able to put together this sample HTTP configuration that allows access over port 80 to this specific folder location.
Listen xx.xx.xx.xx:80 Listen xx.xx.xx.xx:443 <VirtualHost xx.xx.xx.xx:80> ServerName myserver.com DocumentRoot /www/myserver/htdocs DirectoryIndex index.html <Directory /> Options None order deny,allow deny from all </Directory> <Directory /www/myserver/htdocs> order allow,deny allow from all </Directory> RedirectMatch Permanent "^(/(?!.well-known/).*)" https://myserver.com$1 #Redirect permanent / https://myserver.com </VirtualHost> <VirtualHost xx.xx.xx.xx:443> ServerName myserver.com ..... </VirtualHost>
The first VirtualHost container is a normal setup that allows access to static files. But, the key different is the RedirectMatch directive is saying to redirect all requests to the HTTPS site except for requests to the /.well-known directory.
I've tested it and it works great and makes life a little easier when you have to update your client's SSL certificates on a yearly basis.