Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support HTTP Basic Authentication with webroot #1744

Closed
mikehaertl opened this issue Dec 4, 2015 · 11 comments

Comments

Projects
None yet
9 participants
@mikehaertl
Copy link

commented Dec 4, 2015

When using the webroot method it would be great, if we could supply a username/password combination. I therefore propose a feature like -u user:password or similar.

@chriscroome

This comment has been minimized.

Copy link

commented Dec 4, 2015

I came up against this issue, the way I resolved it was to not require HTTP Authentication for /.well-known/acme-challenge. For example if you use a .htaccess file for enforcing HTTP Authentication:

AuthUserFile /var/www/example/.htpasswd
AuthType Basic
AuthName "My Private Stuff"
Require valid-user

And then at an Apache configuration level set an Alias so that /.well-known/acme-challenge is somewhere else, for example:

Alias "/.well-known/acme-challenge" "/var/www/lets-encrypt/example/.well-known/acme-challenge"

Then create directories for each VirtualHost and use the Alias directory for -d on the command line.

@pde

This comment has been minimized.

Copy link
Member

commented Dec 4, 2015

This would require a change to the IETF ACME spec, so flagging it "wontfix" in the client for now.

@pde pde closed this Dec 4, 2015

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Dec 5, 2015

That's what I did now, thanks. For the record here's my config for nginx:

# Main SSL Site
server {
    server_name www.example.com
    root /var/www/www.example.com;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/passwd;

    listen *:443 ssl;
    ssl_certificate             /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/www.example.com/privkey.pem;
    # ...
}

# Redirect 80 -> 443 (SSL)
server {
    server_name www.example.com
    root /var/www/www.example.com;
    listen *:80;

    location / {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    # Exclude let's encrypt
    location /.well-known {
    }
}
@PatrickCronin

This comment has been minimized.

Copy link

commented Mar 21, 2016

Another way, if using Apache 2.4, is to add a Require directive above valid-user that allows requests to lets-encrypt's urls:

<Location />
    AuthUserFile /var/www/example/.htpasswd
    AuthType Basic
    AuthName "My Private Stuff"
    Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/#
    Require valid-user
</Location>
@kohkimakimoto

This comment has been minimized.

Copy link

commented Sep 14, 2016

I'm using the following configuration at Apache 2.2. It works well.

<Location />
    Satisfy Any
    AuthType Basic
    AuthName "My Private Stuff"
    AuthUserFile /var/www/example/.htpasswd
    Require valid-user

    SetEnvIf Request_URI "/.well-known/acme-challenge" acme-challenge
    Order Deny,Allow
    Deny from all
    Allow from env=acme-challenge
</Location>
@binarykitchen

This comment has been minimized.

Copy link

commented Dec 22, 2016

and how can we do the same for nginx?

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Dec 23, 2016

@binarykitchen Uhm, there's an example above? #1744 (comment)

@cvbkf

This comment has been minimized.

Copy link

commented Jan 17, 2017

@binarykitchen @mikehaertl

there is a lot easier solution, which disables auth basic for acme-challenge only.

location /.well-known/acme-challenge {
    auth_basic off;
    root /var/www/letsencrypt;
}
@mikehaertl

This comment has been minimized.

Copy link
Author

commented Jan 18, 2017

@cvbkf Hmm, how is it easier? Note that my example above is a full domain configuration, including a redirect from insecure port 80 to secure 443.

@patricknelson

This comment has been minimized.

Copy link

commented May 17, 2017

🎉 Great idea, thanks @kohkimakimoto!

@xshadow

This comment has been minimized.

Copy link

commented Mar 26, 2018

You could also add a directory directive for your .well-known directory, instead of using the Location Directive

# Apache 2.4

    <Directory /var/www/mywebsite.com/www>
        AllowOverride AuthConfig
        AuthType Basic
        AuthName "Password Required"
        AuthUserFile /var/www/mywebsite.com/.htpasswd
        Require valid-user
    </Directory>

    # Allow access to .well-known directory, to enable LetsEncrypt ACME Challenge
    <Directory /var/www/mywebsite.com/www/.well-known>
        Require all granted
    </Directory>

But I like @PatrickCronin and @kohkimakimoto idea of limiting it to LetsEncrypt requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.