Project

General

Profile

Actions

HowToSimpleSSL » History » Revision 19

« Previous | Revision 19/39 (diff) | Next »
gstrauss, 2019-01-27 04:16


Setting up a simple SSL configuration

Setting up a simple SSL configuration with Lighttpd is quite easy. Though this method should be used with care because this setup will only provide proper encryption, not authentication! The user will be presented with a query whether to accept the certificate or not!

First, go into your SSL Certificates directory and do:

cd /etc/lighttpd/certs
openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes
chmod 400 lighttpd.pem

The previous instuctions were saying the file should be owned by www-data (depending on the OS)
but this is a really bad idea (in case the server gets compromised etc.). As lighttpd starts
with root-privileges and drops his rights, you can safely set the owner of the certificate
to root and chmod 400 it.

Then edit /etc/lighttpd/lighttpd.conf and add:

$SERVER["socket"] == ":443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" 
}

After restarting the webserver, you should be able to access your webserver through https.

Because without ssl.ca-file configured, firefox will not accept this certificate, even if it's valid certificate.

Let's Encrypt bootstrap using TLS-ALPN-01 verification challenge

Create initial self-signed cert in order to be able to configure lighttpd with SSL, including subjectAltName expected by dehydrated. Replace hostname=www.example.com with an appropriate hostname.

#!/bin/bash
certdir=/etc/lighttpd/certs
hostname=www.example.com
mkdir -p $certdir/$hostname && openssl req -new -x509 -extensions req_ext -keyout $certdir/$hostname/privkey.pem -out $certdir/$hostname/cert.pem -days 365 -nodes -config <(cat <<-EOF
[ req ]
distinguished_name = dn
prompt = no
[ dn ]
CN = $hostname
[ req_ext ]
subjectAltName = @san
[ san ]
DNS = $hostname
EOF
) && cp $certdir/$hostname/cert.pem $certdir/$hostname/chain.pem

Configure /etc/lighttpd/lighttpd.conf. Note that Let's Encrypt TLS-ALPN-01 verification challenge requires that the host receive and respond to the challenge on port 443.

server.modules += ("mod_openssl")
ssl.acme-tls-1 = "/etc/lighttpd/dehydrated/tls-alpn-01" 
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3") # (recommended to accept only TLSv1.2 and TLSv1.3)
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable" 
    ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem" 
    ssl.pemfile= "/etc/lighttpd/certs/www.example.com/cert.pem" 
    ssl.ca-file= "/etc/lighttpd/certs/www.example.com/chain.pem" 
}

Start up lighttpd server

systemctl start lighttpd

Download dehydrated and force cert renewal (-x). You should review the downloaded script before running it.
The script does not need to run as root, but does need to have permission to write to the challenge directory and to the certificate directory tree.

mkdir -p /etc/lighttpd/dehydrated/tls-alpn-01
cd /tmp && git clone https://github.com/lukas2511/dehydrated && cd dehydrated
./dehydrated --register --accept-terms
./dehydrated -d www.example.com -t tls-alpn-01 --out /etc/lighttpd/certs --alpn /etc/lighttpd/dehydrated/tls-alpn-01 -c -x

Restart lighttpd to use the Let's Encrypt certificates

systemctl restart lighttpd

See Also

========

Updated by gstrauss over 3 years ago · 19 revisions