Htaccess password protected directory doesn't work with https

torch · April 23, 2018, 5:27pm

I have a password protected directory on my server that I want to enabled https on but Let’s Encrypt doesn’t seem to be able to authenticate because .well-known is within the password protected directory.

I tried the commented out portion but it gives me 403 errors.
Also, this htaccess is within the root of my pw protected subdomain my.cpacontentplus.com

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# SetEnvIf Request_URI "^\/home\/cpacontentplus\/my\.cpacontentplus\.com\/\.well-known/"  acme
# ORDER DENY,ALLOW
# DENY FROM ALL
# Allow from env=acme

# BEGIN WordPress
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
# END WordPress
</IfModule>

AuthUserFile "/home/cpacontentplus/.htpasswds/my.cpacontentplus.com/passwd"
AuthName "My CPA Content Plus"
AuthType Basic
require valid-user

stevenzhu · April 23, 2018, 5:31pm

Hi,

You can exclude that directory from normal, or use webroot to avoid this case.

Thank you

torch · April 23, 2018, 5:32pm

I’m sorry, I’m not too keen on htaccess and apache config, not sure what to do from what you mention.

jmorahan · April 23, 2018, 6:29pm

This might be a simple solution: create the .well-known directory if it doesn’t already exist, and add another .htaccess file inside it with just the line Satisfy any (hopefully your acme client won’t delete the non-empty directory afterwards).

rg305 · April 23, 2018, 6:30pm

Please better describe what doesn’t work.
And what exactly are you trying to do that is failing.
…
HTTP prompts for authentication
HTTPS does not.

torch · April 23, 2018, 6:38pm

@jmorahan Satisfy any in the .htaccess within my .well-known directory did not work.

@rg305 I’m trying to access a site within a password protected directory over https and getting a “Your connection is not private…” error. I’ve tried adding Satisfy any to the htaccess within .well-known as well as tried the commented out lines in my initial post.

# SetEnvIf Request_URI "^\/home\/cpacontentplus\/my\.cpacontentplus\.com\/\.well-known/"  acme
# ORDER DENY,ALLOW
# DENY FROM ALL
# Allow from env=acme

rg305 · April 23, 2018, 6:40pm

You’re probably in the wrong area.
Look for 443 or a listen statement.
https://my.cpacontentplus.com shows:
com

rg305 · April 23, 2018, 6:44pm

Start by answering as much of this as you can:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

jmorahan · April 23, 2018, 6:44pm

Hm. Looking at that again I think you might also need to add Allow from all as well.

rg305 · April 23, 2018, 6:47pm

That block seems to be from :80

Where is the :443 block?

torch · April 23, 2018, 6:55pm

This is what i get at https://my.cpacontentplus.com

rg305 · April 23, 2018, 6:56pm

click ADVANCED
then click “Proceed to my.cpacontentplus.com (unsafe)”
You will see what I already posted: Your hosting provider - not your site at all.

The reason for that is most likely due to some shared hosting (panel) that is misconfigured or lacks proper configuration…
But if you would have answered all the questions (above) we would already know that.

torch · April 23, 2018, 6:57pm

Tried this and didn't work either:
Allow from all
Satisfy any

rg305 · April 23, 2018, 6:59pm

And I repeat my self:

jmorahan · April 23, 2018, 7:06pm

Okay, I don’t know why that’s not working. Another thing to try maybe: in your main .htaccess,

SetEnvIf Request_URI "^/\.well-known/"  acme
Allow from env=acme
Satisfy any

torch · April 23, 2018, 7:07pm

My domain is: my.cpacontentplus.com

I ran this command: https://my.cpacontentplus.com

It produced this output: Connection not private

My web server is (include version): Apache 2.2.34

The operating system my web server runs on is (include version): Linux (version not immediately available)

My hosting provider, if applicable, is: A2 Hosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 68.0 (build 37)

rg305 · April 23, 2018, 7:09pm

Go into cPanel and ensure your site is enabled for HTTPS.

torch · April 23, 2018, 7:10pm

Sorry, I cleared cached and tried again and this in fact worked:
Allow from all
Satisfy any
I put that in the .htaccess within the .well-known directory within my pw protected sub domain.

Thank you!

system · May 23, 2018, 7:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.