LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Drop Dead Simple: One-Clause Handling of NGINX + Certbot + HTTP Basic Auth!

CertbotThis is a quick tutorial on setting up NGINX with Certbot when you’re using HTTP Basic Authentication.

HBA is what you see if you set parameters like this in a location:

       auth_basic  "some arbitrary name";
       auth_basic_user_file  /etc/nginx/path/to/my/password/file;

If you do this, you’ll see a prompt like this if you visit the site:

HTTP Basic Auth

You can use httpasswd (an Apache tool – it’s in apache2-tools on Debian) to create the password file.

HTTP Basic Auth is a very convenient way to lock off a site while you’re working on it (or if you intend it to be forever private).  Many web apps have login/authentication features and if you are managing a user base, obviously you need to use a system built for that.  But for quick “me only” curtaining off a site or if you’re locking off a site where you don’t feel like investing the time and effort into authentication, it’s excellent.

However, there’ s hitch: Certbot renewals.

Certbot won’t know your HTTP Basic Auth user name and password, so when it comes to do its renewal (or the initial certificate provisioning), it fails.  You could disable HBA, do the provision or renewal, and then reenable it, or you could look at a different type of challenge such as DNS.  However, I’ll share a quick set-it-and-forget-it.  It looks like this in your site’s NGINX config file:

   location /.well-known {
        autoindex on;
        root /your/web/root/for/this/site;
        auth_basic off;

What this does is tell NGINX that the directory .well-known (which is where Certbot does its challenges) is not to be protected by HTTP Basic Authentication.  Every other place will be, but that one directory won’t, and Certbot will work just fine.

I like this method because it allows me to script the complete web setup: create the NGINX config file/links/users files, recycle NGINX, run certbot, and the site is then ready to go all in a single script.





No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *