diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1f7792ff..0766e649 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
+* apache: the default VHost doesn't redirect to https for ".well-known" paths
 * apt: check if cron is installed before adding a cron job
 * apt: remove jessie/buster sources from Gandi servers
 * apt: verify that /etc/evolinux is present
diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2
index 157ff5fc..68cdcf84 100644
--- a/apache/templates/evolinux-default.conf.j2
+++ b/apache/templates/evolinux-default.conf.j2
@@ -43,6 +43,7 @@
         RewriteEngine on
         # Redirect to HTTPS, execpt for munin, because some plugins
         # can't handle HTTPS! :(
+        RewriteCond %{REQUEST_URI} !^/.well-known.*$ [NC] [OR]
         RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
         RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
         RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]