Project

General

Profile

[Solved] Lighttpd multiple SSL hosts using Server Name Indication (SNI)

Added by paullylittlefield almost 2 years ago

Hello Folks,

My first post, so be gentle :-)

I have the latest version installed and have followed these official instructions...

https://redmine.lighttpd.net/projects/1/wiki/Docs_SSL#Server-Name-Indication-SNI

...but my server refuses to use the correct SSL certificate for each host.

It appears to be ignoring the $HTTP["host"] setting and offering the default SSL certificate instead.

If I test my config by viewing the non-https version of the web site it works and loads the correct document root page.

I have also tested all the config files with the official command...

lighttpd -t -f /etc/lighttpd/lighttpd.conf -p

...which shows Syntax OK.

Here is an extract of the config (with the domain names changed):-

==> /etc/lighttpd/lighttpd.conf <==

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable" 
    ssl.pemfile = "/etc/lighttpd/domain1_com.pem" 
    ssl.ca-file = "/etc/lighttpd/domain1_com.ca-bundle" 
    ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
    ssl.ec-curve = "secp384r1" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.cipher-list = "HIGH" 
    $HTTP["host"] == "www.domain2.com" {
      ssl.pemfile = "/etc/lighttpd/domain2_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain2_com.ca-bundle" 
    }
    $HTTP["host"] == "www.domain3.com" {
      ssl.pemfile = "/etc/lighttpd/domain3_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain3_com.ca-bundle" 
    }
}

==> /etc/lighttpd/domain2.com.conf <==

$HTTP["scheme"] == "http" {
  $HTTP["host"] == "domain2.com" {
    url.redirect = ( ".*" => "https://www.domain2.com/$1" )
    url.redirect-code = 301
  }
  $HTTP["host"] == "www.domain2.com" {
    url.redirect = ( ".*" => "https://www.domain2.com/$1" )
    url.redirect-code = 301
  }
}

$HTTP["scheme"] == "https" {
  $HTTP["host"] == "domain2.com" {
    url.redirect = ( ".*" => "https://www.domain2.com/$1" )
    url.redirect-code = 301
  }
  $HTTP["host"] == "www.domain2.com" {
    server.name = "www.domain2.com" 
    server.document-root = "/var/www/www.domain2.com/html" 
    accesslog.filename = "/var/www/www.domain2.com/logs/access.log" 
    url.rewrite-if-not-file = ( "^/(wp-.+).*/?" => "$0", "^/keyword/([A-Za-z_0-9\-]+)/?$" => "/index.php?keyword=$1", "^/.*?(\?.*)?$" => "/index.php$1" )
  }
}

Can anyone help?

Thanks,

Paully


Replies (29)

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

I have the latest version installed

Why not be precise and share the exact version you are using? (Hint, you might think you are using the latest version, but your distro might not have the latest version packaged.)

When you ask for assistance, it is because you do not know the answer.
If you do not know the answer, why do you think you know which information to include and which observational information to exclude? Why do you think you know what to include and exclude from the config that you shared?

Please carefully read How to get support

...but my server refuses to use the correct SSL certificate for each host.

Why do you think that? You have not shared how you obtained that information, i.e. what steps you took to observe that.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Hello @gstrauss

(I guess that was a "gentle" reply to my first ever post! :-)

Thanks for your comments, my answers are below...

$ lighttpd -V

lighttpd/1.4.55 (ssl) - a light and fast webserver

Event Handlers:

        + select (generic)
        + poll (Unix)
        + epoll (Linux)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        - kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + linux-sendfile
        - freebsd-sendfile
        - darwin-sendfile
        - solaris-sendfilev
        + writev
        + write
        - mmap support

Features:

        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL support
        + PCRE support
        + MySQL support
        + PgSQL support
        + DBI support
        + Kerberos support
        + LDAP support
        + PAM support
        + memcached support
        + FAM support
        + LUA support
        + xml support
        + SQLite support
        + GDBM support

$ apt-cache policy lighttpd

lighttpd:
  Installed: 1.4.55-1ubuntu1
  Candidate: 1.4.55-1ubuntu1

$ lsb_release -a

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

I used both command line curl and Mozilla Firefox and Google Chrome to test that the web site loaded correctly with the SSL Certificate.

The default web site loads fine and shows the correct SSL Certificate.

However, the second and third web sites fail on all 3 browsers...

e.g. (domain names and IP addresses changed)

When testing the second web site...

$ curl -v -I -L https://www.domain2.com

*   Trying 123.456.789.0:443...
* TCP_NODELAY set
* Connected to www.domain2.com (123.456.789.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.domain1.com
*  start date: May  8 00:00:00 2019 GMT
*  expire date: May  7 23:59:59 2021 GMT
*  subjectAltName does not match www.domain2.com
* SSL: no alternative certificate subject name matches target host name 'www.domain2.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.domain2.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I am happy to debug using logs or a sniffer.

I am happy to compile the latest 1.4.56 to test this.

Thanks for your help.

Regards,

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Just to add to the mystery, I have another server running an OLDER version of Ubuntu and older version of Lighttpd which works perfectly to supply the correct SSL certificate to the domain or sub-domain of a web site.

$ lsb_release -a
Description: Ubuntu 18.04.5 LTS

$ lighttpd -v
lighttpd/1.4.45 (ssl) - a light and fast webserver
Build-Date: Jun 24 2019 22:58:56

$ lighttpd -t -f /etc/lighttpd/lighttpd.conf 
Syntax OK

This is an extract from that WORKING config...

$HTTP["host"] =~ "www.domain.com$" {

  $SERVER["socket"] == ":80" {
    url.redirect = ( ".*" => "https://www.domain.com/$1" )
    url.redirect-code = 301
  }

  $SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/etc/letsencrypt/live/www.domain.com/ssl.pem" 
    ssl.ca-file = "/etc/letsencrypt/live/www.domain.com/fullchain.pem" 
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM" 
    ssl.honor-cipher-order = "enable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.ec-curve = "secp384r1" 
  }

  rest of the settings

}

$HTTP["host"] =~ "old.domain.com$" {

  $SERVER["socket"] == ":80" {
    url.redirect = ( ".*" => "https://old.domain.com/$1" )
    url.redirect-code = 301
  }

  $SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/etc/letsencrypt/live/old.domain.com/ssl.pem" 
    ssl.ca-file = "/etc/letsencrypt/live/old.domain.com/fullchain.pem" 
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM" 
    ssl.honor-cipher-order = "enable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.ec-curve = "secp384r1" 
  }

  rest of the settings

}

This works fine, but the same config does not work with later Ubuntu and later Lighttpd.

Hope you can help.

Regards,

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

I am now going to try compiling the latest version to see if that fixes the problem.

Back soon.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Yes!

A compiled from source 1.4.59 has fixed the issue.

I have used the exact same config files.

The correct SSL Certificates are now being served to the different domains.

Do I have to report a bug with the lighttpd in Ubuntu 20.04 now?

Regards,

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Oh, I now have a different error (sigh)...

Segmentation fault (core dumped)

I'll revert back to the distribution version for now until I fix this!

Fun!

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

Thank you for the additional information.

FYI: SNI did not work on OpenWRT with lighttpd mod_wolfssl until OpenWRT (recently) change the way it compiled wolfssl, adding --enable-opensslall to the wolfssl build. Since you had not provided your full config, to see which TLS modules was loaded, and had not provided your OS and version, I had no way to know and chose not to guess.

What version of openssl do you have installed on the system with lighttpd 1.4.45 (your Ubuntu 18.04.5 LTS)? What version of openssl do you have installed on Ubuntu 20.04.2 LTS? There have not been previous reports of SNI not working with lighttpd 1.4.55, which was released Jan 2020 (over a year ago).

I will be AFK most of the day, but will try to take a look through your config later today. If you could provide a stack trace to the crash with lighttpd 1.4.59, that would be helpful. (If you would like pointers how to produce a stack, please ask.)

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Hello,

Thanks for your quick reply.

The version of openssl I have installed on the Ubuntu 18.04.5 LTS is 1.1.1i ...

$ apt list --installed *ssl*
Listing... Done
libgnutls-openssl27/bionic-updates,now 3.5.18-1ubuntu1.4 amd64 [installed,automatic]
libssl1.0.0/bionic-updates,bionic-security,now 1.0.2n-1ubuntu5.5 amd64 [installed]
libssl1.1/now 1.1.1-1ubuntu2.1~18.04.4 amd64 [installed,upgradable to: 1.1.1i-1+ubuntu18.04.1+deb.sury.org+4]
libxmlsec1-openssl/bionic,now 1.2.25-1build1 amd64 [installed]
openssl/bionic,now 1.1.1i-1+ubuntu18.04.1+deb.sury.org+4 amd64 [installed]
python3-openssl/bionic,now 17.5.0-1ubuntu1 all [installed]

The version of openssl I have installed on the Ubuntu 20.04.2 LTS is 1.1.1i ...

$ apt list --installed *ssl*
Listing... Done
libgnutls-openssl27/focal-updates,focal-security,now 3.6.13-2ubuntu1.3 amd64 [installed,automatic]
libssl-dev/focal,now 1.1.1i-1+ubuntu20.04.1+deb.sury.org+4 amd64 [installed]
libssl1.1/focal,now 1.1.1i-1+ubuntu20.04.1+deb.sury.org+4 amd64 [installed]
libxmlsec1-openssl/focal,now 1.2.28-2 amd64 [installed]
openssl/focal,now 1.1.1i-1+ubuntu20.04.1+deb.sury.org+4 amd64 [installed]
python3-openssl/focal,now 19.0.0-1build1 all [installed]
ssl-cert/focal,now 1.0.39 all [installed]

Hope this helps.

Regarding the stack trace, yes - could you help me please?

:-)

Regards,

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

What request did you make (and with which client) to trigger the crash? If you can share this, I might be able to reproduce the crash without your backtrace.

If you stop the lighttpd service, you can start lighttpd under gdb

systemctl stop lighttpd
gdb --args lighttpd -D -f /etc/lighttpd/lighttpd.conf
> run
# after crash
> bt full
> quit
> y
systemctl start lighttpd

(Please adjust the path to your lighttpd 1.4.59. If you are running test lighttpd from your own build dir, be sure to augment the lighttpd command line with -m /path/to/src/.libs to the .../src/.libs directory of your build)

Alas, I won't have much time this weekend to look into this. I'll take a look at where Ubuntu is stores core dumps and will update in a few days. (Ubuntu may already have saved a core dump of the crash)

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

If you are trying to get SNI working with the Ubuntu package of lighttpd 1.4.55, please try as simple a config as possible.

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable" 
    ssl.pemfile = "/etc/lighttpd/domain1_com.pem" 
    ssl.ca-file = "/etc/lighttpd/domain1_com.ca-bundle" 
    $HTTP["host"] == "www.domain2.com" {
      ssl.pemfile = "/etc/lighttpd/domain2_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain2_com.ca-bundle" 
    }
    $HTTP["host"] == "www.domain3.com" {
      ssl.pemfile = "/etc/lighttpd/domain3_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain3_com.ca-bundle" 
    }
}

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

@gstrauss Thanks for the advice, but that's what I had in the original post!

Next?

:-)

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

gstrauss Thanks for the advice, but that's what I had in the original post!

Next?

You did not share your complete config, and the problem is likely somewhere else in your config, or you might not be restarting lighttpd with the config that you think you are using.

A complete config could be as short as: server.document-root = "...", plus adding the TLS config.

server.document-root = "..." 
server.modules += ("mod_openssl")
$SERVER["socket"] == ":443" {
    ssl.engine  = "enable" 
    ssl.pemfile = "/etc/lighttpd/domain1_com.pem" 
    ssl.ca-file = "/etc/lighttpd/domain1_com.ca-bundle" 
    $HTTP["host"] == "www.domain2.com" {
      ssl.pemfile = "/etc/lighttpd/domain2_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain2_com.ca-bundle" 
    }
    $HTTP["host"] == "www.domain3.com" {
      ssl.pemfile = "/etc/lighttpd/domain3_com.pem" 
      ssl.ca-file = "/etc/lighttpd/domain3_com.ca-bundle" 
    }
}

SNI is an important feature. You seem to be assuming that this is broken on Ubuntu for EVERYBODY. While that is possible, that also seems highly unlikely. Are there any related open issues on the Ubuntu forums?

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Hello,

I have separate config files for the different domains, and that's where I put document root settings and USED to put the SSL settings.

I moved the SSL settings as you suggest (as per my first post) to the main lighttpd.conf file and kept the individual domain files for all the other settings.

Can I just remind you that this problem occurs on version 1.4.55 and not on 1.4.59 using the same config files!

I have JUST stopped the distro version 1.4.55 and started the compiled 1.4.59 to see how long it lasts.

I shall report back with trace and debug logs as soon as I can.

Regards,

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Wow, that didn't last long... about 3 minutes.

[439916.424833] lighttpd[78406]: segfault at 8 ip 00007fb2fce4320e sp 00007ffc53647940 error 4 in mod_openssl.so[7fb2fce3f000+7000]

I'm trying to gdb thing now.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

OK, it's crashed during the dbg command...

$ gdb --args /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/sbin/lighttpd...
(gdb) run
Starting program: /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
2021-02-16 16:40:15: configfile.c.461) Warning: "mod_compress" is DEPRECATED and has been replaced with "mod_deflate".  A future release of lighttpd 1.4.x will not contain mod_compress and lighttpd may fail to start up
[Detaching after fork from child process 79309]
[Inferior 1 (process 79304) exited normally]
(gdb) bt full
No stack.
(gdb) quit

What do I do now?

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by stbuehler almost 2 years ago

Either add -D when starting lighttpd or attach gdb (-p $(pidof lighttpd)) after you started it normally as system service.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

$ gdb --args /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

As expected, lighttpd works with SNI. I built against tag lighttpd-1.4.55 and tested with openssl s_client -servername www.domainX.com -connect 127.0.0.1:8443. I then verified the certificate returned by the server, as reported by openssl s_client. While I am not using Ubuntu, this basic test is sufficient to prove that SNI works in lighttpd with a generic configuration. There may be something more specific to your configuration which is not working, but if so, the issue is more nuanced.

server.document-root = "/dev/shm" 
server.bind = "127.0.0.1" 
server.port = 8080

server.modules += ("mod_openssl")
$SERVER["socket"] == "127.0.0.1:8443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/etc/certs/www.domainA.com/cert.pem" 
  ssl.privkey = "/etc/certs/www.domainA.com/key.pem" 
  $HTTP["host"] == "www.domainB.com" {
    ssl.pemfile = "/etc/certs/www.domainB.com/cert.pem" 
    ssl.privkey = "/etc/certs/www.domainB.com/key.pem" 
  }
}

Can I just remind you that this problem occurs on version 1.4.55 and not on 1.4.59 using the same config files!

I am the author of all of the changes to mod_openssl. I am intimately familiar with what has changed.

I am indefatigably stating, and providing proof, that lighttpd SNI works (generically) with lighttpd 1.4.55, as well as with lighttpd 1.4.59.

I am attempting to remind you that there must be something different on your system. There are no related issues on the Ubuntu forums that have been reported by others, and lighttpd 1.4.55 was released over a year ago. Whatever the issue might be, it is unlikely to be widespread, and I do not believe it has been reported before this forum post.

The same goes for your crash with lighttpd 1.4.59. I am interested in helping to fix the issue, but without further evidence, I will not entertain the notion that this is a problem for anyone other than your specific configuration, for which you have only shared heavily edited snippets. This is why I keep asking in different ways for further information about your system and your config.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

Fair point.

OK, I have a cunning plan :-)

I can copy the whole config directory and then redo the individual files to test both versions with the -f option.

I'll report back when that's done.

Thanks,

Paul

PS: can you have 2 instances of lighttpd running but with different configs and different ports?

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

PS: can you have 2 instances of lighttpd running but with different configs and different ports?

Yes, with different ports and different filesystem paths for things like server.pid-file and log files (server.errorlog and accesslog.filename)

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

I now have some time to try this out.

I am going to copy the whole /etc/lighttpd directory as /etc/lighttpd.copy and start 1.4.59 using this directory with the -f option.

I will change NOTHING else.

I will tail watch the logs, as well as test for the correct SSL using 'openssl s_client' and 'curl' from both the server itself and my laptop.

Here goes...

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

OK, so that was exactly what happened before.

After starting 1.4.59 using the (same but copied) config files...

  • the correct SSL certificate was served for different domains (tested on remote server and on laptop)
  • the software crashed after about 1 minute
  • the gdb was run and said 'No stack'

...what shall I try next please?

(I have restarted the distro's own version 1.4.55 and the 'default' SSL certificate is being served for all domains.)

Thanks.

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by gstrauss almost 2 years ago

When running lighttpd under gdb you must ensure that lighttpd is running in the foreground (lighttpd -D) and you must not configure lighttpd with any subprocess workers (comment out any server.max-worker = ...)

Then you should be able to get a stack trace.

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

OK, we have some debugging output now...

gdb --args /usr/local/sbin/lighttpd -D -f /etc/lighttpd.copy/lighttpd.conf
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/sbin/lighttpd...
(gdb) run
Starting program: /usr/local/sbin/lighttpd -D -f /etc/lighttpd.copy/lighttpd.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
2021-02-26 14:04:22: configfile.c.461) Warning: "mod_compress" is DEPRECATED and has been replaced with "mod_deflate".  A future release of lighttpd 1.4.x will not contain mod_compress and lighttpd may fail to start up

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a0720e in mod_openssl_cert_cb (ssl=0x5555557075f0, arg=<optimized out>) at mod_openssl.c:1058
1058        if (NULL == pc->ssl_pemfile_x509 || NULL == pc->ssl_pemfile_pkey) {
(gdb) bt full
#0  0x00007ffff7a0720e in mod_openssl_cert_cb (ssl=0x5555557075f0, arg=<optimized out>) at mod_openssl.c:1058
        hctx = 0x555555707580
        pc = 0x0
#1  0x00007ffff79c1cb5 in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#2  0x00007ffff79b129f in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#3  0x00007ffff7988896 in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#4  0x00007ffff798fc55 in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#5  0x00007ffff799aa4f in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#6  0x00007ffff799ab57 in SSL_read () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1
No symbol table info available.
#7  0x00007ffff7a06c17 in connection_read_cq_ssl (con=0x5555556499f0, cq=0x555555649ca0, max_bytes=<optimized out>) at mod_openssl.c:2978
        ckpt = 0x0
        hctx = 0x555555707580
        len = <optimized out>
        mem = <optimized out>
        mem_len = 8191
#8  0x0000555555577cc1 in connection_read_header_more (olen=<optimized out>, c=<optimized out>, cq=0x555555649ca0, con=0x5555556499f0) at connections.c:618
        r = <optimized out>
#9  connection_handle_read_state (con=0x5555556499f0) at connections.c:757
        cq = 0x555555649ca0
        c = <optimized out>
        clen = <optimized out>
        header_len = 0
        r = 0x5555556499f0
        keepalive_request_start = 0 '\000'
        pipelined_request_start = 0 '\000'
        discard_blank = <optimized out>
        hoff = {40960, 65535, 32767, 0, 16384, 0, 0, 0, 39408, 21860, 21845, 0, 32516, 21847, 21845, 0 <repeats 1413 times>, 64, 0, 0, 0, 0, 0, 0, 0, 80, 0, 0, 0, 7, 0, 0, 0, 12310, 21851, 21845, 0, 64, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 
          80, 0, 0, 0, 7, 0, 0, 0, 12310, 21851, 21845, 0, 0, 0, 0, 0, 368, 0, 0, 0, 7, 0, 0, 0, 12346, 21851, 21845, 0, 352, 0, 0, 0, 23, 0, 49, 0, 12472, 21851, 21845, 0, 400, 0, 0, 0, 2, 0, 0, 0, 22367, 21847, 21845, 0, 10128, 21854, 
          21845, 0, 42880, 21859, 21845, 0, 1, 0, 0, 0, 56448, 63392, 32767, 0, 41504, 63392, 32767, 0, 22588, 21847, 21845, 0, 13600, 21851, 21845, 0, 12658, 21847, 21845, 0, 29216, 21851, 21845, 0, 11, 0, 0, 256, 44688, 21859, 21845, 
          0, 42867, 63409, 32767, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 80, 0, 0, 0, 7, 0, 0, 0, 12310, 21851, 21845, 0, 64, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 80, 0, 0, 0, 0, 0, 0...}
        hdrs = <optimized out>
#10 0x0000555555578f7d in connection_state_machine_loop (r=0x5555556499f0, con=0x5555556499f0) at connections.c:1079
        ostate = <optimized out>
#11 0x00005555555787f3 in connection_state_machine_h1 (con=0x5555556499f0, r=0x5555556499f0) at connections.c:1418
        log_state_handling = <optimized out>
        log_state_handling = <optimized out>
#12 connection_state_machine (con=0x5555556499f0) at connections.c:1436
        r = 0x5555556499f0
#13 0x00005555555753bc in server_run_con_queue (joblist=<optimized out>, joblist=<optimized out>) at server.c:1869
        i = <optimized out>
        conlist = <optimized out>
        used = <optimized out>
        conlist = <optimized out>
        used = <optimized out>
        i = <optimized out>
#14 server_main_loop (srv=0x5555555b3520) at server.c:1931
        min_ts = <optimized out>
        joblist = <optimized out>
        last_active_ts = 1614348282
--Type <RET> for more, q to quit, c to continue without paging--quit
Quit
(gdb) q
A debugging session is active.

        Inferior 1 [process 11064] will be killed.

Quit anyway? (y or n) y

Does that provide a clue?

Paully

RE: Lighttpd multiple SSL hosts using Server Name Indication (SNI) - Added by paullylittlefield almost 2 years ago

...and these are my SSL libraries provided by the sury PPA for PHP...

https://launchpad.net/~ondrej/+archive/ubuntu/php

apt list --installed *ssl*
Listing... Done
libgnutls-openssl27/focal-updates,focal-security,now 3.6.13-2ubuntu1.3 amd64 [installed,automatic]
libssl-dev/focal,now 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 amd64 [installed]
libssl1.1/focal,now 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 amd64 [installed]
libxmlsec1-openssl/focal,now 1.2.28-2 amd64 [installed]
openssl/focal,now 1.1.1j-1+ubuntu20.04.1+deb.sury.org+3 amd64 [installed]
python3-openssl/focal,now 19.0.0-1build1 all [installed]
ssl-cert/focal,now 1.0.39 all [installed]
(1-25/29)