Http challenge with basic auth

Traefik Traefik v2 (latest)
1

To use traefik 2 with letsencrypt http challenge to validate the domain, the validation will failed due to basic auth on the endpoint. it works when disable basic auth. since during the certificate generation process, letsencrypt will validate some info from http://domain/.well-known/....

the question is how to make it work with basic auth or any other authenticaiton?

2

Hi,

I have the same need as you, the challenge http does not care about redirect so you can redirect your http to https, setup up auth on https and the cert will be generated while users will be redirect.

My traefik.yml config :

entryPoints:
  web:
    address: ":80"

certificatesResolvers:
  letsencrypt-ecdsa:
    acme:
      email: mymail@domain.tld
      caserver: https://acme-v02.api.letsencrypt.org/directory
      storage: /etc/traefik/acme.json
      keytype: EC384
      httpChallenge:
        entryPoint: web
  letsencrypt-rsa2048:
    acme:
      email: mymail@domain.tld
      caserver: https://acme-v02.api.letsencrypt.org/directory
      storage: /etc/traefik/acme.json
      keytype: RSA2048
      httpChallenge:
        entryPoint: web

My provider settings :

http:
  services:
    rutorrent:
      loadBalancer:
        servers:
          - url: "http://rutorrent:8080"
          
  routers:
    rutorrent:
      rule: "Host(`subdomain.domain.tld`) && PathPrefix(`/user/rutorrent`)"
      entryPoints:
        - "web"
      middlewares:
        - "redirect-to-https@file"
      service: "rutorrent@file"
    rutorrent-secure:
      rule: "Host(`subdomain.domain.tld`) && PathPrefix(`/user/rutorrent`)"
      entryPoints:
        - "websecure"
      middlewares:
        - "auth@file"
      service: "rutorrent@file"
      tls:
        certResolver: letsencrypt-ecdsa

Hope it help.

3

@BlackIP-dev looks like you have the route specified down to the path. for sure that would work since the http challenge will issue a GET request to the specify endpoint, think it's http://domain/.well-known/....

I wonder if I can exclude that path from basic auth.

4

@koo9

For an HTTP-01 challenge the required router is configured by Traefik to service the PathPrefix(`/.well-known/acme-challenge/`) at the highest priority. So your router not going to affect an ACME challenge.

An TLS-ALPN-01 is handled at the TLS handshake and routers won't affect this.

5

@cakiwi what I saw in the traefik log was the response from .well-known/acme-challenge was not valid but after I disable basic auth, it works. back in version 1.x, http challenge with basic auth works fine. not sure if it's an issue in 2.x.

6

Hi, I'm having this issue as well.. I have basic auth on by default on all my routers (ie set at the entrypoint level), but this breaks the HTTP challenge request from letsencrypt. In the logs, this looks like:

829 time="2021-12-29T17:31:57-07:00" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.com\": unable to generate a certificate for the domains [mydomain.com]: error: one or more domains had a problem:\n[mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching mydomain.com/.well-known/acme-challenge/37dkakajasdkasljdjI: Timeout during connect (likely firewall problem)\n" rule="Host(mydomain.com)" providerName=letsencrypt.acme routerName=myrouter@file

Any ideas on how to selectively disable basic auth just for these challenge requests? I tried setting a high priority rule for PathPrefix('/.well-known/acme-challenge') that disables the basic auth middleware, but I wasn't sure what to set as "service". Would I need an override router like this for every service or is there an easier way?