How to allow certbot on an access controlled domain?


#1

Usually I have a host at port 80 redirecting to 443 which in turn is access controlled like:

        <Directory /var/www/htdocs/path/to/site/>
            AuthType Basic
            AuthName "Access to mysite"
            AuthUserFile "/path/to/.htpasswd"
            <RequireAny>
                    Require valid-user
                    Require ip 91.65.57.116
            </RequireAny>
    </Directory>

Just for certbot I do the following on 80 to allow passing the challenge.

	<Directory /var/www/htdocs/path/to/site/>
	<IfModule mod_rewrite.c>
		RewriteEngine on
		RewriteBase /
		RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
		RewriteRule ^(.*) https://www.example.de/$1 [R=301,L]
	</IfModule>
</Directory>

Now I have the desagreable situation that I do not redirect 80 to 443 but already have access control on 80. Any clue how to combine the two allowing certbot to pass? I am asking since certbot runs into a authentication error on 80 now.

Thanks for your time and help.


How to allow certbot on an access controlled domain 443? Apache
#2

If you’re doing HTTP validation, Let’s Encrypt needs to be able to reach you on port 80 from anywhere on the Internet, at the /.well-known/acme-challenge path. If that isn’t desirable for you, look into DNS validation instead.


#3

Exactly, this is why I posted my question. I am sure that there is a way to configure Apache like this. In case there is anybody around with a solution I will gladly use it.

This is not an option to me since it is a very painful method.


#4

Are you using certbot’s apache authenticator or its webroot authenticator? I think the apache authenticator should be able to handle this situation automatically (provided your version of certbot isn’t too old).

If you need to use the webroot authenticator for some reason, you might try whitelisting the /.well-known/acme-challenge path so that it doesn’t require a password. The following works for me:

<Location /.well-known/acme-challenge>
  Require all granted
</Location>

#5

Yeah, I am using the webroot authenticator. Wonderful solution which appears not to be too difficult, but I am obviously not an Apache guru. Anyways, this was exactly what I was looking for and it works perfect. Thanks a lot for helping me out of my misery and have a great day!!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.