How to allow acme-challenge through basic auth on nginx

bmiller100wpm · March 21, 2016, 10:20pm

Hi,

The title pretty much says it all. I have basic auth enabled on my nginx server as follows:

location / {
    try_files $uri $uri/ /index.php?$query_string;
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

This causes the below error to occur when trying to install or auto-renew a Let’s Encrypt certificate. Error message:

 + Requesting challenge for example.com...
 + Responding to challenge for example.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://example.com/.well-known/acme-challenge/9FCJa2g5OZWcU83YfJ6223t9kv9_u8j75KDpyO9euec [45.55.39.187]: 404"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/TSG_-qzqGvT16tqGPH5jqjWYKV_ky32kHq1S8J405DQ/30280009","token":"9FCJa2g5OZWcU83YfJ6223t9kv9_u8j75KDpyO9euec","keyAuthorization":"9FCJa2g5OZWcU83YfJ6223t9kv9_u8j75KDpyO9euec.je__JRh2XWYCIoXFLLphIk9Ts6EC7VgXyd3FG2GhI-0","validationRecord":[{"url":"http://example.com/.well-known/acme-challenge/9FCJa2g5OZWcU83YfJ6223t9kv9_u8j75KDpyO9euec","hostname":"example.com","port":"80","addressesResolved":["45.55.39.187"],"addressUsed":"45.55.39.187"}]})

Thus, I have tried adding the below exception to allow the acme-challene to pass through the basic authorization I have set up:

location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
}

and many variations of the above; however, I continue to receive the same error as below. I was wondering if you can find a problem in my configuration above or if you have other suggestions.

Thank you for your help.

sahsanu · March 21, 2016, 11:24pm

Hello @bmiller100wpm,

I can’t see any problem with your location conf. The first thing you need to check is that you can reach the acme challenge because the error you are getting is a 404 Not found. Put a file in your /path/to/documentroot/.well-known/acme-challenge/hereyourtestfile and browse it http://yourdomain.tld/.well-known/acme-challenge/hereyourtestfile.

In your nginx error log you should have more details about what is going on. Anyway, you didn’t show your entire nginx server block nor the command you used to launch letsencrypt-auto so it’s complicated to help you .

Cheers,
sahsanu

bmiller100wpm · March 22, 2016, 4:04pm

Hi @sahsanu,

Thanks for the reply. I can reach http://yourdomain.tld/.well-known/acme-challenge/test.txt with the above settings, yet I also get the same error message.

I’m using a service to launch letsencrypt-auto and I gave you all the information I have, except for the following lines in the error log:

Cloning into 'letsencrypt1458662167'...
nginx stop/waiting
nginx start/running, process 8272
# INFO: Using main config file /root/letsencrypt1458662167/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing example.com
 + Signing domains...
 + Creating new directory /root/letsencrypt1458662167/certs/example.com ...
 + Generating private key...
 + Generating signing request...

Here is the rest of my server block:

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/before/*;

server {
    listen 80;
    server_name example.com;
    root /home/forge/example.com;

    # FORGE SSL (DO NOT REMOVE!)
    # ssl_certificate;
    # ssl_certificate_key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DOT NOT REMOVE!)
    include forge-conf/example.com/server/*;

location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
}

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/example.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/after/*;

Thanks again for any help that can be provided.

sahsanu · March 22, 2016, 4:23pm

Hello @bmiller100wpm,

I can’t see any problem in your nginx conf. So, next step is to know what are the parameters passed to letsencrypt-auto. I don’t know what that service does but I suppose that you are using certonly method with webroot authentication so you must be sure that you are specifying the right paths for your domain’s document root.

Anyway, you could try to run the letsencrypt-auto command by hand to be sure that the problem is not that service or how it is configured…

Cheers,
sahsanu

system · April 21, 2016, 4:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.