I use SSL from Cloudflare, do I need public_html/.well-known folder on my server?

I use SSL from Cloudflare, my hosting provider keeps creating .well-known/acme-challenge folder in my server’s public_html, and they tell me it’s required for SSL authentication.

Since I don’t use their certificate and use the one provided by Cloudflare, do I actually need that folder?

What SSL certificate you are using before you use Cloudflare? Is it Let’s Encrypt?

Before CF I didn’t have any.

But your hosting provider keeps creating the folder while you don’t have any SSL certificate? Looks weird.

Anyway, you should have a valid SSL certificate in your server too, if not your entire setup is still insecure (Cloudflare to server still uses HTTP).

You can generate an origin certificate from Cloudflare and then upload it to your hosting side:

And also switch your SSL encryption mode to Full (strict).

I’m switching from my old hosting provider to Bluehost, they both started to create that folder about 10 days ago, wasn’t there before, my web site worked with CF SSL for months w/o any hidden folders, maybe it’s triggered by some update to cPanel.

My question is, do I need that folder, I didn’t need it before.

I can’t switch ecryption mode to full because my CF account will not work with Bluehost unless it’s flexible, just spend 5 days running in circles between CF and BH to figure that out, they assured me it’s the only way my personal CF account will work with their hosting.

If your hosting provider is not trying to issue any SSL cert then you don’t need it.


Still not a good idea. That’s why I encourage you to generate and upload the origin certificate to Bluehost.

1 Like

It seems to be working now, thank you!

I’m curious. If SSL is so important to you, why would you willingly switch to a host that doesn’t provide it?

1 Like

My old hosting provides it but it’s extra, I stared using CF mostly because you provide a free SSL cert, Bluehost provides SSL cert but now I don’t need it from them, since I already have a CF account.

Where did you read that I “switched to a host that doesn’t provide it”?

Turns out BH won’t activate their built-in CF account because my domain isn’t registered with them but they still generate an SSL key that screws up my attempts to use full encryption between BH and CF and they tell me that the only way is to use flexible encryption because they have no clue.

Have to figure out everything myself.

SSL is not SO important to me, otherwise I would 've paid for it but it’s a useful thing to have.

I’m not using SSL from any of these two companies, I’m using a CF one, still both companies create .well-known folder in my public_html and claim it cannot be deleted as it’s needed for SSL, which is not true. My old hosting started doing it about 10 days ago.

I admit it was an erroneous assumption. Since you value SSL, I figured you’d have it enabled at your host if it was possible.

That pretty much sums it up.

You really do if you if you’re serious about SSL. You’ve left your server connection unencrypted.

Would Bluehost let you upload your own certificate? Cloudflare can generate an origin cert that’s super easy to use. (Eric already posted a link to it)

I already deleted BH-generated SSL cert and replaced with one generated by CF as per suggestion and enabled full strict encryption and it works, so I accepted the solution.


Glad to see that.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.