Project

General

Profile

HowToSimpleSSL » History » Revision 26

Revision 25 (gstrauss, 2019-02-18 21:26) → Revision 26/40 (gstrauss, 2019-02-18 21:27)

h2. Setting up a simple SSL configuration 


 Setting up a simple SSL configuration with Lighttpd is quite easy. Though this method should be used with care because this setup will only provide proper encryption, not authentication! The user will be presented with a query whether to accept the certificate or not! 

 First, go into your SSL Certificates directory and do: 

 <pre> 
 cd /etc/lighttpd/certs 
 openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes 
 chmod 400 lighttpd.pem 
 </pre> 

 The previous instuctions were saying the file should be owned by www-data (depending on the OS) 
 but this is a really bad idea (in case the server gets compromised etc.). As lighttpd starts 
 with root-privileges and drops his rights, you can safely set the owner of the certificate 
 to root and chmod 400 it. 

 Then edit /etc/lighttpd/lighttpd.conf and add: 

 <pre> 
 $SERVER["socket"] == ":443" { 
   ssl.engine = "enable" 
   ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" 
 } 
 </pre> 


 After restarting the webserver, you should be able to access your webserver through https. 

 Because without ssl.ca-file configured, firefox will not accept this certificate, even if it's valid certificate. 


 h2. Let's Encrypt bootstrap using TLS-ALPN-01 verification challenge and dehydrated (with lighttpd 1.4.53) 

 Create initial self-signed cert in order to be able to configure lighttpd with SSL, including subjectAltName expected by dehydrated. 
 Prerequisite: DNS must be configured so that $hostname points to the an address which will serve content from the machine on which you run lighttpd. 
 Replace @hostname=www.example.com@ with an appropriate hostname below. 
 <pre> 
 #!/bin/bash 
 certdir=/etc/lighttpd/certs 
 hostname=www.example.com 
 mkdir -p $certdir/$hostname && openssl req -new -x509 -extensions req_ext -keyout $certdir/$hostname/privkey.pem -out $certdir/$hostname/cert.pem -days 365 -nodes -config <(cat <<-EOF 
 [ req ] 
 distinguished_name = dn 
 prompt = no 
 [ dn ] 
 CN = $hostname 
 [ req_ext ] 
 subjectAltName = @san 
 [ san ] 
 DNS = $hostname 
 EOF 
 ) && cp $certdir/$hostname/cert.pem $certdir/$hostname/chain.pem 
 </pre> 

 Configure /etc/lighttpd/lighttpd.conf.    Note that Let's Encrypt TLS-ALPN-01 verification challenge requires that the host receive and respond to the challenge on port 443. 
 <pre> 
 server.modules += ("mod_openssl") 
 $SERVER["socket"] == "0.0.0.0:443" { 
     ssl.engine = "enable" 
     ssl.acme-tls-1 = "/etc/lighttpd/dehydrated/tls-alpn-01" 
     ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3") # (recommended to accept only TLSv1.2 and TLSv1.3) 
     ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem" 
     ssl.pemfile= "/etc/lighttpd/certs/www.example.com/cert.pem" 
     ssl.ca-file= "/etc/lighttpd/certs/www.example.com/chain.pem" 
 }</pre> 

 Start up lighttpd 
 <pre>systemctl start lighttpd</pre> 

 Download dehydrated and force cert renewal (-x).    You should review the downloaded script before running it. 
 The script does not need to run as root, but does need to have permission to write to the challenge directory and to the certificate directory tree. 
 The user account running the lighttpd web server needs permission to be able to read the files written by dehydrated, so it is recommended that dehydrated be run under the same user account as the lighttpd web server. 
 (Aside: one user found that he needed to set a login shell (e.g. "/bin/bash") for the lighttpd user before things worked.    See https://redmine.lighttpd.net/boards/2/topics/8482) 
 <pre> 
 mkdir -p /etc/lighttpd/dehydrated/tls-alpn-01 
 cd /tmp && git clone https://github.com/lukas2511/dehydrated && cd dehydrated 
 ./dehydrated --register --accept-terms 
 ./dehydrated -d www.example.com -t tls-alpn-01 --out /etc/lighttpd/certs --alpn /etc/lighttpd/dehydrated/tls-alpn-01 -c -x 
 </pre> 

 Restart lighttpd to use the Let's Encrypt certificates 
 <pre>systemctl restart lighttpd</pre> 


 h2. Let's Encrypt bootstrap using HTTP-01 verification challenge and certbot 

 certbot does not yet support @--preferred-challenges tls-alpn-01@ so the less secure http-01 verification challenge must be used with certbot. 

 Configure /etc/lighttpd/lighttpd.conf.    Note that Let's Encrypt HTTP-01 verification challenge requires that the host receive and respond to the challenge on port 80. 
 <pre> 
 server.bind = "0.0.0.0" 
 server.port = 80 
 server.modules += ("mod_alias") 
 alias.url = ("/.well-known/" => "/etc/lighttpd/certbot/.well-known/") 
 </pre> 
 Start up lighttpd 
 <pre>systemctl start lighttpd</pre> 
 Install and run certbot 
 <pre> 
 mkdir -p /etc/lighttpd/certbot 
 dnf install certbot 
 certbot register --agree-tos -m "responsible-admin@example.com" 
 certbot certonly --preferred-challenges http-01 --webroot -w /etc/lighttpd/certbot -d www.example.com 
 #certbot certonly --preferred-challenges tls-alpn-01 --webroot -w /etc/lighttpd/certbot -d www.example.com 
 </pre> 
 Reconfigure lighttpd.conf to use certificates retrieved by certbot 
 <pre> 
 server.modules += ("mod_openssl") 
 $SERVER["socket"] == "0.0.0.0:443" { 
     ssl.engine = "enable" 
     ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3") # (recommended to accept only TLSv1.2 and TLSv1.3) 
 $SERVER["socket"] == "0.0.0.0:443" { 
     ssl.engine = "enable" 
     ssl.privkey= "/etc/letsencrypt/live/www.example.com/privkey.pem" 
     ssl.pemfile= "/etc/letsencrypt/live/www.example.com/cert.pem" 
     ssl.ca-file= "/etc/letsencrypt/live/www.example.com/chain.pem" 
 }</pre> 
 Restart lighttpd to use the Let's Encrypt certificates 
 <pre>systemctl restart lighttpd</pre> 



 h3. See Also 

 ======== 

 * [[lighttpd:Docs_SSL|Secure HTTP]] 
 * [[lighttpd:IPv6-Config|IPv6 Config]]