This is a quick tutorial on setting up NGINX with Certbot when you’re using HTTP Basic Authentication.

HBA is what you see if you set parameters like this in a location:

       auth_basic  "some arbitrary name";
       auth_basic_user_file  /etc/nginx/path/to/my/password/file;

If you do this, you’ll see a prompt like this if you visit the site:

You can use httpasswd (an Apache tool – it’s in apache2-tools on Debian) to create the password file.

HTTP Basic Auth is a very convenient way to lock off a site while you’re working on it (or if you intend it to be forever private).  Many web apps have login/authentication features and if you are managing a user base, obviously you need to use a system built for that.  But for quick “me only” curtaining off a site or if you’re locking off a site where you don’t feel like investing the time and effort into authentication, it’s excellent.

However, there’ s hitch: Certbot renewals.

Certbot won’t know your HTTP Basic Auth user name and password, so when it comes to do its renewal (or the initial certificate provisioning), it fails.  You could disable HBA, do the provision or renewal, and then reenable it, or you could look at a different type of challenge such as DNS.  However, I’ll share a quick set-it-and-forget-it.  It looks like this in your site’s NGINX config file:

   location /.well-known {
        autoindex on;
        root /your/web/root/for/this/site;
        auth_basic off;
    }

What this does is tell NGINX that the directory .well-known (which is where Certbot does its challenges) is not to be protected by HTTP Basic Authentication.  Every other place will be, but that one directory won’t, and Certbot will work just fine.

I like this method because it allows me to script the complete web setup: create the NGINX config file/links/users files, recycle NGINX, run certbot, and the site is then ready to go all in a single script.

Enjoy!

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Level Up Your Marketing and Social Media with These FREE Courses on Udemy! - April 26, 2024
• FLASH SALE: Cheap cPanel Shared Hosting from eWallHost for $7.97/YEAR! - April 24, 2024
• Should You Change Your Windows RDP Port?Yes. - April 23, 2024