Basic auth protection to allow ACME Challenge

[DesignyourCode]

HI, I have the following code set up in my CyberPanel vhost.conf file:

# START-HTTP-AUTH
context / {
  realm ProtectedArea
}

realm ProtectedArea {
  userDB {
    location conf/vhosts/<sitename>/htpasswd
  }
}
# END-HTTP-AUTH

How would I modify this to allow Letsencrypt to perform the .well-known/acme-challenge fetch? (Basically to remove basic auth for that route)?

Thank you in advance for any help.

 

[Cold-Egg]

Try setting a .well-known context in virtual host see if it should helps.
Example:

context /.well-known/ { 
  location                /var/www/html/
  allowBrowse             1 
  addDefaultCharset       off
}

Please substitute the location value to your site's path.

 

[DesignyourCode]

Thank you for your response. Unfortunately that didn't work.

I've restarted the litespeed cache, but no luck. Any other ideas?

 

[lsqtwrk]

Thank you for your response. Unfortunately that didn't work.

I've restarted the litespeed cache, but no luck. Any other ideas?

please check in webadmin console , and make sure well-known context is ABOVE the / context

 

[DesignyourCode]

Sorry unfortunately I still can't get this to work.

I am obviously missing something.

If I try and access <website>/.well-known/acme-challenge/hello.txt in the brower, it still shows the basic auth:

# START-HTTP-AUTH
context /.well-known/ {
  location                /home/<site>/public_html
  allowBrowse             1
  addDefaultCharset       off
}

context / {
  realm ProtectedArea
}

realm ProtectedArea {
  userDB {
    location conf/vhosts/<site>/htpasswd
  }
}
# END-HTTP-AUTH

I'm not really sure what else I can try at this stage. Any help is massive appreciated. Thank you

 

[lsqtwrk]

location /home/<site>/public_html


this is wrong , you need to set it to /home/<site>/public_html/.well-known/ , assuming the well-known directory should be generated under that public_html

 

[DesignyourCode]

I've update to this, but it is still not working. The location is /home/<site>/public_html/.well-known/ so this should work, but I still get the basic auth alert when navigating to the text file

 

[lsqtwrk]

I've update to this, but it is still not working. The location is /home/<site>/public_html/.well-known/ so this should work, but I still get the basic auth alert when navigating to the text file

could you please screenshot me the context main page and each individual context setting in webadmin console ?

 

[DesignyourCode]

Hi, this is a copy of the vhost.conf:

docRoot                   $VH_ROOT/public_html
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               hosting@designyourcode.com
enableGzip                1
enableIpGeo               1

index  {
  useServer               0
  indexFiles              index.php, index.html
}

errorlog $VH_ROOT/logs/$VH_NAME.error_log {
  useServer               0
  logLevel                ERROR
  rollingSize             10M
}

accesslog $VH_ROOT/logs/$VH_NAME.access_log {
  useServer               0
  logFormat               "%v %h %l %u %t "%r" %>s %b"
  logHeaders              5
  rollingSize             10M
  keepDays                10  compressArchive         1
}

scripthandler  {
  add                     lsapi:devcare php
}

extprocessor devcare {
  type                    lsapi
  address                 UDS://tmp/lshttpd/devcare.sock
  maxConns                10
  env                     LSAPI_CHILDREN=10
  initTimeout             600
  retryTimeout            0
  persistConn             1
  pcKeepAliveTimeout      1
  respBuffer              0
  autoStart               1
  path                    /usr/local/lsws/lsphp73/bin/lsphp
  extUser                 devcare
  extGroup                devcare
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           400
  procHardLimit           500
}

phpIniOverride  {

}

rewrite  {
  enable                  1
  autoLoadHtaccess        1
}

vhssl  {
  keyFile                 /etc/letsencrypt/live/<site>/privkey.pem
  certFile                /etc/letsencrypt/live/<site>/fullchain.pem
  certChain               1
  sslProtocol             30
}

# START-HTTP-AUTH
context /.well-known/ {
  location /home/<site>/public_html/.well-known/
  allowBrowse 1
  addDefaultCharset off
}

context / {
  realm ProtectedArea
}

realm ProtectedArea {
  userDB {
    location conf/vhosts/<site>/htpasswd
  }
}
# END-HTTP-AUTH

 

[chrisbobin]

@DesignyourCode have you managed to fix that? I have also problem protecting whole website except some URIs . Can't make it work

 

[DesignyourCode]

Unfortunately not. I had to put it down and focus on some other things but I am going to be investigating it again this week.

 

[chrisbobin]

@lsqtwrk can we get any help on that? How can we set global password protect on whole vhost except some URIs?

 

[lsqtwrk]

@lsqtwrk can we get any help on that? How can we set global password protect on whole vhost except some URIs?

I am actually testing it as we speak , just got another report today from one user , I will update here once I got something.

 

[DesignyourCode]

That's great news, happy to help debug and test my end

 

[DesignyourCode]

Hi @lsqtwrk - sorry to just keep messaging about this. Just wondering if you got anywhere with this?

 

[Cold-Egg]

Hi @DesignyourCode and @chrisbobin ,

I can reproduce the issue and confirmed that this issue has been addressed on v1.6.15 and v1.7.2.
Both versions are not stable yet and there's still some pending issue need to be fixed on 1.6.15.
Please give our developer some time and new release will fix this issue.

Best,
Eric

 

[DesignyourCode]

Hi @Cold-Egg - that's great news that it's almost fixed. Is there an estimate for when these versions will be available?
Also, will there be a recommendation on which version to use?

 

[Cold-Egg]

You can actually use lsup method to upgrade if you want to give it a try.

/usr/local/lsws/admin/misc/lsup.sh -v 1.7.2

 

[DesignyourCode]

Ok great. I will likely spin up a separate server to test this until that version is confirmed as stable and then I can feedback to here on how I get on. Thank you again.

 

[DesignyourCode]

Hi @Cold-Egg - just wanted to confirm that I have now tested this on multiple servers and the upgrade above works perfectly.

The only thing I noticed was that any sites on the same server that had previously had an SSL issued needed re-issuing - so in case anyone else comes across this I thought I'd mention it.

Thanks everyone for your time on this - very much appreciated and a great solution in the end.