Lighttpd

ADDED:

Here is the error when I try to get the https version:

@This site can’t be reached
site.com refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED@

lighttpd is failing to start. There is probably a configuration error or conflict somewhere else in your lighttpd.conf.

Check the lighttpd error log.

Also, try running at the command line: lighttpd -f /etc/lighttpd/lighttpd.conf -tt to test and preflight the config.

Hi,

I have the results, but not sure what to do with them:

Error Log is just a bunch of the same lines at the different times I have tried different things:

2020-09-16 16:28:02: (server.c.1488) server started (lighttpd/1.4.55)
2020-09-16 17:52:37: (server.c.1970) server stopped by UID = 0 PID = 1
2020-09-16 17:55:58: (server.c.1488) server started (lighttpd/1.4.55)
2020-09-16 17:58:34: (server.c.1970) server stopped by UID = 0 PID = 1
2020-09-16 17:59:45: (server.c.1488) server started (lighttpd/1.4.5 5)


$ sudo lighttpd -f /etc/lighttpd/lighttpd.conf -tt
2020-09-16 18:32:35: (mod_openssl.c.471) SSL: BIO_read_filename('/etc/letsencrypt/live/website.com/fullchain.pem') failed
2020-09-16 18:32:35: (server.c.1207) Initialization of plugins failed. Going down.


Does this mean that one of LetsEncrypt's keys (fullchain.pem) has failed? Or something else?

Thanks

2020-09-16 18:32:35: (mod_openssl.c.471) SSL: BIO_read_filename('/etc/letsencrypt/live/website.com/fullchain.pem') failed

Does this mean that one of LetsEncrypt's keys (fullchain.pem) has failed?

Yes.

Check that the file exists and is readable by the lighttpd web server. (Check file permissions)

gstrauss wrote in RE: Can't Get https to work with Lets Encrypt cert.:

Check that the file exists and is readable by the lighttpd web server. (Check file permissions)

OK, looking in there:

lrwxrwxrwx 1 root root 38 Sep 16 12:16 fullchain.pem -> ../../archive/website.com/fullchain1.pem
lrwxrwxrwx 1 root root 36 Sep 16 12:16 privkey.pem -> ../../archive/website.com/privkey1.pem


Yes, the file does exist, and the permissions are as open as can be, and the same as the other key.

So, I followed the links:


-rw-r--r-- 1 root root 1416 Sep 16 12:16 cert1.pem.gz
-rw-r--r-- 1 root root 1206 Sep 16 12:16 chain1.pem.gz
-rw-r--r-- 1 root root 2439 Sep 16 12:16 fullchain1.pem.gz
-rw------- 1 root root 1343 Sep 16 12:16 privkey1.pem.gz


And the actual files are gzipped archives... in an archive directory ;)

The file that is the problem - fullchain.pem, links to fullchain1.pem.gz

That archive file actually has more permissions that the other one that isn't throwing up a problem. Though looking at the permissions, it looks like only root can read both of them, so lighttpd is running as root and not it's own user?

Also, I checked, and yes I am calling privkey.pem first, then fullchain.pem second. So privkey.pem must be being read ok, but not fullchain.pem

Like all programs, lighttpd starts up as the user that started lighttpd. If lighttpd is started as root and lighttpd.conf has configured server.username and server.groupname, lighttpd will drop privileges. See Configuration Options. If not configured, lighttpd continues to run under the user that started lighttpd.

Note that lighttpd will read the TLS pemfile and privkey files as the user it was started as, e.g. root, and later will drop privileges if server.username and server.groupname are set. This allows lighttpd to run with reduced privileges after having read the privileged certificate private key file.

And the actual files are gzipped archives... in an archive directory ;)

So do you see the obvious problem?

Also, I checked, and yes I am calling privkey.pem first, then fullchain.pem second. So privkey.pem must be being read ok, but not fullchain.pem

Incorrect. The order you list them in lighttpd.conf is not necessarily the order in which they are processed and read.

So, it turns out that the problem was the gzipped files. How or why they got compressed, I have no idea, but un-compressing them did the trick.

$ /etc/letsencrypt/archive/stderr.me# sudo gunzip privkey1.pem.gz fullchain1.pem.gz chain1.pem.gz cert1.pem.gz
$
$ sudo ls
cert1.pem chain1.pem fullchain1.pem privkey1.pem

Did this, added the code to the lighttpd.conf file:

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

Reconfigure lighttpd.conf to use certificates retrieved by certbot

server.modules += ("mod_openssl")
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.privkey= "/etc/letsencrypt/live/www.example.com/privkey.pem"
ssl.pemfile= "/etc/letsencrypt/live/www.example.com/fullchain.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # (recommended to accept only TLSv1.2 and TLSv1.3)
#ssl.ca-file= "/etc/lighttpd/certs/www.example.com/chain.pem" # (needed in $SERVER["socket"] before lighttpd 1.4.56 if ssl.pemfile in $HTTP["host"])
}

NOTE: If you are following this fix, remember to change www.example.com in the code above to your site name in your path.

Re-started lighttpd

sudo systemctl restart lighttpd

And all is good :)

Thanks for your help @gstrauss