Project

General

Profile

Lighttpd and certbot notes

Added by bat1963 5 months ago

I made some notes on setting up certbot with lighttpd which are here:

https://justpaste.it/ah67d

Probably a very bad way of doing things, so feel free to comment or delete this post if it is too bad to be of any use to anyone.


Replies (4)

RE: Lighttpd and certbot notes - Added by gstrauss 4 months ago

Thank you for taking the time to share your notes. Please review for corrections.

Please see some general (not certbot) documentation about configuring lighttpd TLS and HowToRedirectHttpToHttps

The TLS configuration should not be in 10-cgi.conf as you have suggested. CGI configuration is unrelated.

Overall, your doc is a whole lot of text which can be summarized as install and configure certbot, configure lighttpd to use the cert, and then set up a daily cron job to run certbot renew && /etc/init.d/lighttpd reload

Setting up TLS in lighttpd is documented in lighttpd TLS, so your doc is more aimed at setting up certbot. The lighttpd config with certbot is "use the cert" and "renew cert and reload lighttpd once a day".


Regarding the second half for Ubuntu 16, the end of Ubuntu Standard Support for Ubuntu 16 was in April 2021. Anybody still running such an ancient, unmaintained code is incompetent at maintaining secure systems, and you should not be providing instructions which pretend to provide security for hopelessly insecure systems.

Ubuntu 16 runs lighttpd 1.4.35, released Mar 2014 -- over a DECADE ago, and Ubuntu has not kept the Ubuntu lighttpd package in Ubuntu 16 patched for security issues. The current stable lighttpd release is lighttpd 1.4.76, some 41 lighttpd releases newer.

RE: Lighttpd and certbot notes - Added by bat1963 4 months ago

Brilliant. I will update that old one. Must sort myself out. On renewing the certificate, I get a permission issue if lighttpd is running. Hence I had to stop it and restart after attempting the renewal. Thank you for checking my notes anyway.

RE: Lighttpd and certbot notes - Added by stbuehler 4 months ago

certbot "standalone" mode will run its own webserver - and conflict with the ports bound by a "real" webserver.

Which is documented btw in standalone:

This plugin needs to bind to port 80 in order to perform domain validation, so you may need to stop your existing webserver.

You should be using webroot instead. A proper setup aliasing /.well-known/acme-challenge to some certbot webroot might actually be worth documenting.

For everything else the instructions basically are "follow the manual at a, b and c", as gstrauss already said.

RE: Lighttpd and certbot notes - Added by gstrauss 4 months ago

Yes, you're right. certbot might that it use that port for certificate verification, depending on the verification mechanism employed.

lighttpd provides better ways to verify the certificate without having to shut down the server.

HowToSimpleSSL documents how to use TLS-ALPN-01 verification challenge which lighttpd has supported for over 5 years, but certbot does not.

    (1-4/4)