AutoSSL fails to Auto Update Certificates

I found this morning that AutoSSL failed to update a certificate automatically on the following situation:

When the domain is covered by a HTTPAuth password protection and/or when the domain has a custom HSTS header:

.htaccess:

RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]

AuthName "privateCRM"
AuthUserFile "/home/account/.htpasswds/public_html/passwd"
AuthType Basic
require valid-user

Header set Strict-Transport-Security "max-age=31536000;" env=HTTPS​

I have disabled HTTPAuth and HSTS header and reloading the page works correctly (autoSSL also updates correctly); I don't know which of the two rules applies (due to the nature of HSTS) but disabling both seemed to work.

NOTE: I do realise that HTTPAuth is no longer good practise but until we have a more complete security solution on this domain (it's a big domain) then it's in place for the time being.

If this issue is caused directly by the HSTS command this is a serious concern as many sites use HSTS in the .htaccess file in this way. I hope it's just the HTTPAuth .

 

Hello Michael, Yes, this setting is enabled on my WHM. The more I look at it the issue the more I suspect it's the HTTPAuth causing this but I've not found any other sites on my server yet with HSTS that need to auto udate their TLS yet, so can't confirm... yet.

 

Thanks for the clarification Michael, I will add some complexity to the HTTPAuth.

Cheers