I'm running ubuntu 24.04, nginx, and certbot (installed via snap).
My nginx config is:
server {
server_name admin.example.com;
location / {
...
auth_basic "Restricted";
auth_basic_user_file /etc/apache2/htpasswd;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = admin.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name admin.example.com;
return 404; # managed by Certbot
}
The problem:
When I visit admin.example.com, I get prompted by nginx for credentials in my htpasswd. The issue is the SSL cert is not loaded, and the page is labeled as "Not Secure". However, if I successfully log in, I'm taken to the webpage which does load the correct ssl cert. It's only on the htpasswd prompt that's not secure.
How can I get nginx to use the ssl cert installed by certbot when prompting for password authentication?
I am confident the HTTPS connection is working. But, your browser may show "Not Secure" for other reasons. Usually clicking the warning icon displays more info.
It is probably just that you have not yet completed the authentication.
Not that this should matter but I was surprised to see an apache2 folder referenced in an nginx config. Nothing technically wrong but people don't usually have both running at the same time.
Is there a way to make sure it really is using the ssl cert? Because in Chrome and Edge browser, both say "Your connection to this site is not secure" whenever I get the password prompt. I don't see the ssl cert details anywhere, usually there is a lock icon that I can click on and it'll show me the ssl cert.
If I click cancel on the password box, the page then shows a 401 Authorization Required page error, but the site is secure with the ssl cert (both browsers display the lock icon that displays the cert details).
You could do a network trace like with Wireshark. Or maybe even be able to see enough in the Developer Tools / Network section of Chrome / Edge.
If you share the actual domain name someone may look at it further. I don't have time to setup a test case and see how Chromium browsers show this auth page.
These docs describe the authentication occurs after the TLS (HTTPS) session is established. Lots of google results say the same. HTTP authentication - HTTP | MDN
This isn't so much a cert issue but a server security issue. You might also ask on an nginx or server admin forum if no one else offers comments here. Or Chrome forum.