Allow Let’s Encrypt to Bypass HTTP Auth

The story is a common one, you or your client wants to have a site protected by password. But you also want it to be secured with a Let’s Encrypt SSL certificate. The Certificate was easy to provision when you first set up the website. But then you added basic HTTP authentication or IP restrictions to your htaccess file. Now Let’s Encrypt can no longer connect to your site to renew the ssl cert. So how can we allow Let’s Encrypt to bypass HTTP auth and issue your cert?

The following method will work for either IP or basic authentication settings.

How to Allow Let’s Encrypt to Bypass HTTP Auth

Let’s Encrypt needs to access the hidden folder called .well-known contained within your document root. Typically your authentication settings or IP restrictions are in the htaccess file in your document root. This establishes the rules for all child folders. But by default htaccess files found inside child folders can override the parent settings.

By adding a htaccess file in your .well-known directory you can allow Let’s Encrypt to bypass HTTP auth security. Your htaccess file should contain the following:

Order allow,deny
Allow from all
Satisfy Any

These directives tell the web server to allow traffic from any source to access that directory and all child folders.

Thanks to these sites for guiding me to this solution in my own search. You can find their write-ups here and here.

HTTPS Redirect Breaks Let’s Encrypt Renewal

One other issue I have run into that causes problems with the renewal process is your sites HTTPS redirect. In some instances once you add your redirect rule to force all traffic to use https, this can break your Let’s Encrypt Renewal process. And no longer allow the Let’s Encrypt Certbot to validate your site.

Making a slight change to your rewriterule can fix your problem. Your initial rule may have looked something like this:

# Redirection to HTTPS
 RewriteCond %{SERVER_PORT} ^80$ [OR]
 RewriteCond %{HTTPS} =off
 RewriteRule ^(.*)$$1 [R=301,L]

That rule checks for traffic coming in on port 80 or that does not use https and then redirects all of it to the https version of your site.

# Redirection to HTTPS
 RewriteCond %{SERVER_PORT} ^80$ [OR]
 RewriteCond %{HTTPS} =off
 RewriteRule ^(?!/.well-known(?:$|/)).*$0 [R=301,L]

By adding this change to the Rewriterule line we have told the server to redirect all traffic that does not start with “/.well-known”. So anything under that directory (Let’s Encrypt) are not redirected to HTTPS.

Thanks to this site for posting their fix so I could find it.