EFF's certbot, a tool for issuing LetsEncrypt SSL certificates, may generate verification strings / file names which start with an underscore. This causes a Zope BadRequest error.
The Github issue was closed by the certbot people, pointing to the following: their tool follows the ACME profocol, an Automatic Certificate Management Environment which may become an IETF standard.
I'm hoping someone here (Zope Foundation Board?) can pick up the ball and make a point with the IETF people to fix their may-be standard?
They are right: not accepting id's starting with an "_" is a Zope issue.
In the Python world, names starting with a single "" are considered (more or less) private. Zope enforces this convention by prohibiting (web request) traversal via url steps starting with "" and correspondingly prevents the use of ids starting with "_".
In the Plone world, the ids are usually automatically derived from the object title. You might use such a logic (and part of its implementation) to derive valid ids from the LetsEncrypt ids.
taken into account that the "/.well-known/" URIs are something relatively "new" (defined in RFC 5785, in 2010, but mostly unused until a couple of years ago), I think you're right and we may have an issue here if other well-known URIs also use filename starting with an underscore.
anyway, in your specific use case I still think that file must not be locate inside Zope or Plone, as the SSL end point is in your Apache web server as you mentioned.