Auto SSL and Password Protected Directory

[jeffstu]

I came across an issue this morning where Auto SSl was failing due to the directory being password protected.

Example Log.

The “cPanel” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problem:
sub.domain.co.uk [ Last AutoSSL Run at “2017-11-15 at 21:14:04 UTC” ]

The system queried for a temporary file at “http://sub.domain.co.uk/.well-known/pki-validation/***************.txt”, but the web server responded with the following error: 401 (Unauthorized). A DNS (Domain Name System) or web server misconfiguration may exist.

To get around this I've added a .htaccess file in the .well-known directory

Satisfy Any
Order Allow,Deny
Allow from all

This seems to work but it is unclear if this will get removed at some point.

An alternative I found prior to this was to add an Allow from into the .htaccess with the AuthuserFile lines but this bypasses the password to the entire directory for that IP.

AuthUserFile "/home/.../passwd"
AuthName "Password"
AuthType Basic
require valid-user
#Added lines below
Order deny,allow
Allow from 91.199.212.132
Satisfy Any

I wanted to allow secure.comodo.net, but this failed so I looked up the IP and allowed that instead which worked and AutoSSL obtained a new IP, (secure.comodo.net currently has address 91.199.212.132) I can see this failing if the IP ever changes so opted for the .htaccess in the .well-known directory.

I'm going to continue looking into why the fqdn didn't work as the documentation suggests a fqdn should work, but i'll be looking to put it in the .well-known/.htaccess to make that directory as secure as possible.

I couldn't find a suitable solution on the forums so thought i'd share my findings this morning.

 

[jeffstu]

Another alternative

<FilesMatch  "[A-F0-9]{32}\.txt">
Satisfy Any
Order Allow,Deny
Allow from all
</FilesMatch>

To allow access to files that contain letters or Numbers and are 32 characters long and end in .txt

I've raised a case with Cpanel to see if this can be added by default so that Auto SSL can work for password protected Directories.

 

[cPWilliamL]

Hi,

Similar to the previous user suggested, I would recommend excluding the path from your Basic Auth; although, the filematch is not a bad solution either. I could certainly see this making it into the product down the road. I'd still recommend submitting a feature request just so other's could vote and voice their opinion.

Thanks,

Edit: We are tracking this improvement to AutoSSL via case CPANEL-16958

 

[cPanelMichael]

Hello,

To update, internal case CPANEL-16958 is scheduled for inclusion with cPanel version 70. The case adds new functionality to the "Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)" option in "WHM >> Tweak Settings" so that it whitelists AutoSSL validation attempts for websites using password protected directories.

Thank you.