The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL and password protected domains

Discussion in 'Security' started by morrow95, Mar 1, 2017.

Tags:
  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    104
    Likes Received:
    2
    Trophy Points:
    168
    I started using AutoSSL when it became available and I have to say I really like it as it is one less thing to worry about and take care of. BUT...

    I have a few domains which I have setup basic authorization for on the public_html folder. In other words, you need to 'login' before you can view anything on the domain. These are domains I use for testing purposes generally. AutoSSL renewal fails on these domains because it cannot create/access the text verification file that is added to the root directory now that they have been pw'ed.

    So, I am in bit of a bind here... I want these domains to have SSL certs for testing purposes to match up with the 'production' domains yet I also want these pw'ed because I do not want the public to have access to anything on them.

    Is there anything I can do short of deleting all my files, taking off the pw protection, and letting AutoSSL renew the certs? This will be a pain in the ass to do this every time they need renewed.
     
  2. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    What if you moved your actual password-protected sites to a password-protected subfolder, leaving just a blank index.htm in the /public_html and removing the password-protection for /public_html? That way, AutoSSL could install an SSL certificate that would be valid for all your subfolders and password-protected sites. You might be able to use redirects in the /public_html/.htaccess to deal with the move and make it transparent for your users. You might also be able to use a subdomain instead of a subfolder. I'm not sure if AutoSSL needs to put the text file in a subdomain, or just /public_html, but that might be better.

    I think moving the sites to a subfolder/subdomain is better than a temporary fix because the AutoSSL certs renew every 90 days.
     
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    104
    Likes Received:
    2
    Trophy Points:
    168
    There are no users - these are for my own use, mostly testing, which is why I want them blocked off from public access. I believe subdomains would require the same text file for AutoSSL, but if anyone knows for sure please comment. A folder is certainly an option, but then that kind of defeats the whole testing purpose if the links would have a different structure (I will have to look at htaccess stuff to see if there is something to change that and mimic the files actually being at root rather than in a folder under root).
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You could exclude certain file extensions (.cpaneldcv, .txt) via entries like this in the .htaccess file:

    Code:
    <FilesMatch "\.(cpaneldcv)$">
        Allow from all
        Satisfy any
    </FilesMatch>
    
    <FilesMatch "[A-F0-9]{32}\.txt$">
        Allow from all
        Satisfy any
    </FilesMatch>
    This would work, assuming you have no .txt files you need to protect in the directory.

    Thank you.
     
    linux4me2 likes this.
Loading...

Share This Page