Having your site working with SSL never was easier with Let’s Encrypt and Certbot for free.
First lets know who they are and how they are going to help us.
Basically is an authority and an tool to help us to deploy certificates in a easy and automated way.
Let's begin with this, I am assuming yo already have lighttpd installed, if not please visit my post "lighttpd basic installation". The following receipe is for Debian GNU/Linux 9 (stretch) (also apply for Ubuntu) and as in every new installation you must execute:
sudo apt update
sudo apt upgrade
Let's install some dependencies and repository:
sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
Installing cerbot:
sudo apt install certbot
At this point the tool is installed and the certificate can be requested and the keys and references for future renewal installed. But before launchng the request please:
sudo service lighttpd status
)sudo iptables -L -n | grep 'DROP' | more
)sudo more /etc/lighttpd/lighttpd.conf
)netstat -ltnp | grep ':80\|:443'
or ss -ltnp | grep ':80\|:443'
)And if all checks are ok, we are ready to go:
sudo certbot certonly --webroot -w </your/path/to/document/root> -d <your.domain.tld>
Where:
</your/path/to/document/root>
: is your path to the document root as defined for server.document-root in lighttpd.conf<your.domain.tld>
: is your FQDN as you site is know-w
and -d
options, don't be lazy certbot -h
will show the help page.Note: if you want to produce a certificate with a wildcard like *.<your.domain.tld>
you should use: certbot --server https://acme-v02.api.letsencrypt.org/directory certonly --manual -d *.<your.domain.tld>
Executing that commend with triger an assistant wich will ask for:
At this point you have the new certificate for you site, we need to combine it with the private key in one file to be used in lighttpd. For that use cat
:
sudo cat /etc/letsencrypt/live/<your.domain.tld>/cert.pem /etc/letsencrypt/live/<your.domain.tld>/privkey.pem > /etc/letsencrypt/live/<your.domain.tld>/letsencryptcert.pem
Now we can add the configuration to lighttpd to use ssl. Edit the config file with vi or your prefered editor (as always do a backup first just in case):
sudo vi /etc/lighttpd/lighttpd.conf
add the following lines to activate the server in 443:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/<your.domain.tld>/letsencryptcert.pem"
ssl.ca-file = "/etc/letsencrypt/live/<your.domain.tld>/chain.pem"
server.name = "<your.domain.tld>"
server.document-root = "</your/path/to/document/root>"
}
you can redirect the connections from HTTP to HTTPS by adding:
$HTTP["scheme"] == "http" {
$HTTP["host"] == "<your.domain.tld>" {
url.redirect = ("/.*" => "https://<your.domain.tld>$0")
}
}
Save the file and test it for errors with the folowing command:
sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf
note: -tt
will check deeper as it test config-file syntax, load and init modules.
If the output says "Sintax OK" or just nothing, you are ready to restart the server:
service lighttpd restart
User your browser to navigate to https://
Note: sometimes if you are testing and testing configs the process could be zombie, so I recomend you to use service lighttpd stop
then service lighttpd start
and in between check if still there with:
sudo ps aux | grep 'lighttpd'
and kill the process with:
sudo kill -9 <process_number>
Hope you find this useful, if you have any question please visit my twitter @bigg_blog and if you have a couple of pounds make a donation .