0

I have a domain in stealth mode, protected by basic auth. Basic auth is not supported by Letsencrypt and probably never will (https://github.com/certbot/certbot/issues/1744#issuecomment-162038303).

After moving from Nginx to Yaws, the next Letsencrypt renewal is scheduled. So here is a problem. I could disable basic auth in Yaws, do the renewal and then enable again, but that is no real solution.

There are easy workarounds for Apache and Nginx, i.e. define an exception to basic auth for the directory /.well-known/acme-challenge.

How to do that in Yaws? The basic auth definition for my domain in yaws.conf is now

    <auth>
        realm = "some realm" 
        user = "some_user:some_pw"
    </auth>

The only reference within this context with respect to Yaws I found is from 2010 and refers to Yaws 1.81 (https://uu.diva-portal.org/smash/get/diva2:344199/FULLTEXT01.pdf). Letsencrypt started 2015. I use Yaws 2.0.9.

There seems to be a solution for FreeDNS with shell variables (https://gist.github.com/ammgws/381b4d9104c4e2b43b9210f33f03a15a). Similar hacks are given at https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/, but I have no idea how to use such an approach.

kklepper
  • 763
  • 8
  • 13
  • I probably could get around the challenge problem with a TXT Resource Record record as well. How to do that with acme.sh I don't know yet. – kklepper Oct 16 '21 at 08:57
  • Interestingly Caddy can manage certificates out of the box. – kklepper Oct 16 '21 at 09:00
  • The above mentioned TXT method is actually the acme.sh dns method which is fine (I used it before) but must be renewed manually. – kklepper Oct 16 '21 at 10:01
  • Look at the Yaws documentation ([pdf](https://github.com/erlyaws/yaws/releases/download/yaws-2.0.9/yaws.pdf)) for `.yaws_auth` files, perhaps you can use them to solve this. – Steve Vinoski Oct 16 '21 at 17:49
  • Thank you very much. It is not very clear to me. Is this one file .yaws_auth or more, perhaps per directory? Anyway, the idea here obviously is to *include* directives, not *exclude*. The section in the yaws.conf were a good place if there was an exclude flag. – kklepper Oct 16 '21 at 19:56
  • Try this: for a subdirectory you want to exclude, add a `.yaws_auth` file in that subdirectory with the contents `{allow, all}.` (and don't forget the trailing period/full stop). Also make sure `auth_skip_docroot` is not set in your `yaws.conf`. – Steve Vinoski Oct 17 '21 at 14:11
  • You are my hero! Thank you so much! – kklepper Oct 17 '21 at 19:29

1 Answers1

1

For each subdirectory you want to exclude, add a .yaws_auth file to that subdirectory with the contents

{allow, all}.

and be sure to include the trailing period/full stop. Also make sure that auth_skip_docroot is either set to false or not set at all in your yaws.conf file.

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
  • Today I wanted to get a certificate `adm.mydomain.tld`. I still had `/www/.well-known/acme-challenge/.yaws_auth` in place, so I commented `auth_skip_docroot = true` and restart yaws. But yaws did not look for `.yaws_auth` -- `auth_skip_docroot = false` worked (`Reading .yaws_auth /www/.well-known/acme-challenge/.yaws_auth` was doubled `19:17:04.067497` and `19:23:29.627258`). `acme.sh` failed with timeout this time, so I checked with `curl https://mydomain.tld/.well-known/acme-challenge/test` which delivered `401 authentication needed` -- hence the timeout. What is the problem here? – kklepper Oct 21 '21 at 18:35
  • Sorry, I found my mistake: I manipulated the wrong server section. – kklepper Oct 21 '21 at 20:22