Will Certificate for phpMyAdmin Update with IP Restriction?

I've set up a certificate for my installation of phpMyAdmin on my server. This is a part of the phpMyAdmin.conf file:

	<Directory /usr/share/phpMyAdmin/>
	    AddDefaultCharset UTF-8
		Options none
		AllowOverride None
		AuthType basic
		AuthName "Authentication Required"
		AuthUserFile /etc/phpMyAdmin/.htpasswd
		Require valid-user
        <RequireAny>
            Require ip 111.111.111.111
        </RequireAny>
	</Directory>

This restricts the app to just my IP number for security.

I also have .htpasswd set up to protect the /usr/share/phpMyAdmin directory.

Will this prevent certbot from being able to renew the certificate when it comes time? Or does this only restrict the web browser?


My web server is: Apache 2.4.37
The operating system my web server runs on is (include version): AlmaLinux 8.6
I can login to a root shell on my machine: Yes
I'm using a control panel to manage my site: No
The version of my client is: 1.22.0

Depends on how you get your certificate I believe. Using the webroot plugin and if /usr/share/phpMyAdmin/ is the webroot of your site then yes, it would prevent Certbot from renewing succesfully. But if you're using the apache plugin, then I believe it might just work.

You can test renewal by running certbot renew --dry-run.

2 Likes

I created the certificate using certbot on the command line, and I just tried the dry run and you're right, the certificate won't renew. Drats!!

I can't figure out a way to secure access to phpMyAdmin and have SSL at the same time. I guess I have to pick one or the other.

You just have to allow access to the /.well-known/acme-challenge/ path for anyone.

3 Likes

Thanks, that's what I needed to know to come up with this solution:

	<Directory /usr/share/phpMyAdmin/>
	    AddDefaultCharset UTF-8
		Options none
		Order deny,allow
		Deny from all
		Allow from 111.111.111.111
		AllowOverride None
		AuthType basic
		AuthName "Authentication Required"
		AuthUserFile /etc/phpMyAdmin/.htpasswd
		Require valid-user
	</Directory>

	<Directory /usr/share/phpMyAdmin/.well-known/acme-challenge/>
	    Satisfy any
	</Directory>

Adding the Satisfy any directive for the subdirectory where LE needs access seems to have worked when I did the dry run. It also protects the main directory with authentication and SSL.

2 Likes