Apache 'AuthType Basic' not working after certbot install

My web server is (include version): Apacher 2.2

The operating system my web server runs on is (include version): Ubuntu 18.04
My OS is: Ubuntu 16.04
The version of my client is certbot 0.31.0

We have used this config in the past to enable Apache basic auth. We want to protect the entire site. After lets encrypt installation, the config for basic auth is being ignored.

Here is my ssl vhost config; “my.host-le-ssl.conf”

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName my.host
        ServerAlias www.my.host

        #RedirectMatch 301 /(.*) https://*.yourdomain.com/$1

        DocumentRoot /usr2/www/my.host

        <Directory "/usr2/www/my.host">
            AuthType Basic
            AuthName "Restricted Content"
            AuthUserFile /etc/apache2/.htpasswd
            Require valid-user
        </Directory>

        ### Removed Index Browsing      
        <Directory /usr2/www/my.host>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
        </Directory>

         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

Alternatively I have tried this addition to the SSL vhost config also to no avail:

<Location /usr2/www/my.host>
    Satisfy Any
    AuthType Basic
    AuthName "Site under maintenance - be back soon"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user

    SetEnvIf Request_URI "/.well-known/acme-challenge" acme-challenge
    Order Deny,Allow
    Deny from all
    Allow from env=acme-challenge
</Location>  

Any help would be great this is a work-stoppage for us. Thank you in advance.

-Erin

1 Like

That all looks to be in the HTTPS section.
Are you forwarding all HTTP to HTTPS?

If so, maybe you could make an exception and handle the auth requests in HTTP.
That way your HTTPS can be “better” locked down.

If not, can we have a look at the HTTP section?

And in case you may think that I’m “avoiding” your question…
Well, I probably am; as is seems to be a web server programming one.
And this is a forum for LE certificate issues.

1 Like

Thank you so very much, I know this is not really on topic here - so one more shot if anything jumps out at you - because it all looks good to me too. I miss subtle things in Apache configs sometimes:

Here is the whole ssl config (sans some config minutia as noted):

SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)

   <VirtualHost *:443>
            ServerAdmin webmaster@localhost
            ServerName my.host
            ServerAlias www.my.host

    #RedirectMatch 301 /(.*) https://*.yourdomain.com/$1

    DocumentRoot /usr2/www/my.host

    <Location /usr2/www/my.host>
         Satisfy Any
         AuthType Basic
         AuthName "Site under maintenance - be back soon"
         AuthUserFile /etc/apache2/.htpasswd
         Require valid-user

         SetEnvIf Request_URI "/.well-known/acme-challenge" acme-challenge
         Order Deny,Allow
         Deny from all
         Allow from env=acme-challenge
    </Location>

    ### Removed Index Browsing      
    <Directory /usr2/www/my.host>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Require all granted
    </Directory>

     ...[logging config, caching config omitted]

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/www.my.host/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.my.host/privkey.pem
    Header always set Strict-Transport-Security "max-age=31536000"
    SSLUseStapling on
    Header always set Content-Security-Policy upgrade-insecure-requests

And now the normal port 80 config:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName my.host
        ServerAlias www.my.host

        DocumentRoot /usr2/www/my.host

        <Location /usr2/www/my.host>
            Satisfy Any
            AuthType Basic
            AuthName "Site under maintenance - be back soon"
            AuthUserFile /etc/apache2/.htpasswd
            Require valid-user
            SetEnvIf Request_URI "/.well-known/acme-challenge" acme-challenge
            Order Deny,Allow
            Deny from all
            Allow from env=acme-challenge
        </Location>

        ### Removed Index Browsing      
        <Directory /usr2/www/my.host>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
        </Directory>

         ...[logging config, caching config omitted]

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.my.host [OR]
RewriteCond %{SERVER_NAME} =my.host
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
1 Like

Those two things don’t seem to add up.
If the document root is
/usr2/www/my.host
then the location for
/usr2/www/my.host
Would be found at:
http(s)://your.domain/usr2/www/my.host/*
I don’t think that is what you meant to do.

The document root:
/usr2/www/my.host
corresponds to:
http(s)://your.domain/
Which (within this context/section) would be:
<location />

I think you may have confused “Directory” with “Location”.
See: https://serverfault.com/questions/196957/difference-between-location-and-directory-apache-directives

1 Like

Lordy yes. The docs, of course. I chipped in $25 and will render a further penance in the form of public service to balance your generosity. Thank you Rudy.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.