Letsencrypt broken basic authentication on site


#1

Hi Guys.

I have one website which had a .htpasswd protection so users have to authenticate to view the page.

This all worked fine with none https

After i’ve installed Letsencypt although the HTTPS works fine, no problems there it is ignoring the .htpasswd and anybody can view the site which is not good.

The 000-default-le-ssl.conf and 000-default.conf are almost the same bar the ssl additions LE made.

000-default-le-ssl.conf <IfModule mod_ssl.c> <VirtualHost *:443>

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName …com

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory “/var/www/html”>
Options Indexes FollowSymLinks
AllowOverride All
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>

<files xmlrpc.php>
order allow,deny
deny from any
</files>

SSLCertificateFile /etc/letsencrypt/live/***.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/***.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

000-default.conf <VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

ServerName [***.com]()

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;Directory "/var/www/html"&gt;

    Options Indexes FollowSymLinks

    AllowOverride All

    AuthType Basic

    AuthName "Restricted Content"

    AuthUserFile /etc/apache2/.htpasswd

    Require valid-user

&lt;/Directory&gt;

    &lt;files xmlrpc.php&gt;

    order allow,deny

    deny from any

    &lt;/files&gt;

RewriteEngine on

RewriteCond %{SERVER_NAME} =***.com

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

Note - If i change the AllowOveride to None on the SSL conf the password protection does work, however then none of my permalinks and articles DO.

Im new to Letsencrypt and my installation was just the defaults. Other than this password protection being ignored in SSL everything else is working great.

I did find the below thread:

However the solution does not seem clear as my directories in the conf files are correct?

Thanks in advance.


#2

Do you have a .htaccess file in /var/www/html and if so what does it contain?


#3

Jeez, i never even thought to look in the root DIR.

There was a HT access file with the Wordpress Rewrite rules.

However it also had a Satisfy any rule, after removing that it works as it used too.

Thanks very much for the hint!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.