Installing SSL Certificate in Lighttpd

Installing SSL Certificate in Lighttpd

linux debian ubuntu letsencrypt lighttpd certbot

Having your site working with SSL never was easier with Let’s Encrypt and Certbot for free.

First lets know who they are and how they are going to help us.

  • Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
  • Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver.

Basically is an authority and an tool to help us to deploy certificates in a easy and automated way.

Let's begin with this, I am assuming yo already have lighttpd installed, if not please visit my post "lighttpd basic installation". The following receipe is for Debian GNU/Linux 9 (stretch) (also apply for Ubuntu) and as in every new installation you must execute:

sudo apt update 
sudo apt upgrade

Let's install some dependencies and repository:

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update

Installing cerbot:

sudo apt install certbot

At this point the tool is installed and the certificate can be requested and the keys and references for future renewal installed. But before launchng the request please:

  • check lighttpd is running (sudo service lighttpd status)
  • check iptables is not blocking any incoming requets (sudo iptables -L -n | grep 'DROP' | more)
  • check lighttpd no have any redirection for ".<dir/file>" (sudo more /etc/lighttpd/lighttpd.conf)
  • check lighttpd is listening on 80 and nothing on 443 (netstat -ltnp | grep ':80\|:443' or ss -ltnp | grep ':80\|:443')

And if all checks are ok, we are ready to go:

sudo certbot certonly --webroot -w </your/path/to/document/root> -d <your.domain.tld>

Where:

  • </your/path/to/document/root> : is your path to the document root as defined for server.document-root in lighttpd.conf
  • <your.domain.tld> : is your FQDN as you site is know
  • for -w and -d options, don't be lazy certbot -h will show the help page.

Note: if you want to produce a certificate with a wildcard like *.<your.domain.tld> you should use: certbot --server https://acme-v02.api.letsencrypt.org/directory certonly --manual -d *.<your.domain.tld>

Executing that commend with triger an assistant wich will ask for:

  • Enter email address: [email protected]
  • Please read the Terms of Service...: enter A to agree
  • Would you be willing to share your email address...: enter Y to keep you posted wiht EFF work If all was good, you will see a line saying "Congratulations!", take note of where you files were saved, because you will need it to complete the configuration in lighttpd. For more information on this please check this link.

At this point you have the new certificate for you site, we need to combine it with the private key in one file to be used in lighttpd. For that use cat:

sudo cat /etc/letsencrypt/live/<your.domain.tld>/cert.pem /etc/letsencrypt/live/<your.domain.tld>/privkey.pem > /etc/letsencrypt/live/<your.domain.tld>/letsencryptcert.pem

Now we can add the configuration to lighttpd to use ssl. Edit the config file with vi or your prefered editor (as always do a backup first just in case):

sudo vi /etc/lighttpd/lighttpd.conf

add the following lines to activate the server in 443:

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/<your.domain.tld>/letsencryptcert.pem"
    ssl.ca-file = "/etc/letsencrypt/live/<your.domain.tld>/chain.pem"
    server.name = "<your.domain.tld>"
    server.document-root = "</your/path/to/document/root>"
}

you can redirect the connections from HTTP to HTTPS by adding:

$HTTP["scheme"] == "http" {
    $HTTP["host"] == "<your.domain.tld>" {
        url.redirect = ("/.*" => "https://<your.domain.tld>$0")
    }
}

Save the file and test it for errors with the folowing command:

sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf

note: -tt will check deeper as it test config-file syntax, load and init modules. If the output says "Sintax OK" or just nothing, you are ready to restart the server:

service lighttpd restart

User your browser to navigate to https://

Note: sometimes if you are testing and testing configs the process could be zombie, so I recomend you to use service lighttpd stop then service lighttpd start and in between check if still there with:

sudo ps aux | grep 'lighttpd'

and kill the process with:

sudo kill -9 <process_number>

Hope you find this useful, if you have any question please visit my twitter @bigg_blog and if you have a couple of pounds make a donation .

Add a comment

Previous Post Next Post