Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Welcome to Design Host

Κάντε εγγραφή τώρα εντελώς δωρεάν για να αποκτήσετε πλήρη πρόσβαση στην κοινότητα μας. Μετά την ολοκλήρωση της εγγραφής θα μπορείτε να συνδεθείτε και να δημιουργήσετε νέα θέματα ή να απαντήσετε στα υπάρχοντα. Επίσης θα μπορείτε να αλλάξετε τις πληροφορίες του προφίλ σας και παράλληλα να επικοινωνείτε με άλλα μέλη μέσω προσωπικών μηνυμάτων και πολλά ακόμα! Αυτό το μήνυμα θα αφαιρεθεί αυτόματα μετά την σύνδεση σας στην κοινότητα μας.

NickTheGreek

How to configure Lighttpd web server with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux

1 post in this topic

Iread your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04 LTS or Debian Linux 8.x server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score.

 

Our sample setup

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • Lighttpd DocumentRoot (root) path : /var/www/html/
  • Lighttpd TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP: 74.86.26.69

Step 1 – Install acme.sh client

Type the following apt-get command/apt command:
$ sudo apt-get install git bc wget curl
Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux

Fig.02: Install git and bc on Ubuntu/Debian Linux

 

Step 2 – Clone repo

Type the following commands:
$ cd /tmp
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# cd /tmp/acme.sh/
# ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git

Fig.03: Clone the acme.sh client using git


Rest of all command need to be type as root user. Become root user:
$ sudo -i

 

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:
# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:
# cd /etc/lighttpd/ssl/cyberciti.biz/
# openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:


 

 

Step 6 – Issue a certificate for your domain

The syntax is:
acme.sh --issue -w /server.document-root-path/ -d www.example.com
acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:
# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096
Sample outputs:

Fig.04: Issue a certificate

Fig.04: Issue a certificate

 

Step 7 – Enable ssl for Lighttpd

Type the following command:
# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "0.0.0.0:443" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
 
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
 
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
 
	    ssl.use-compression     = "disable"
 
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    )
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"
	    )
	}

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:
# vi /root/.acme.sh/www.cyberciti.biz/hook.sh
Append the following script:

#!/bin/bash
dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
 
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:
# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh
Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:
# acme.sh --installcert -d www.cyberciti.biz \
--capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
--reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh'

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443
# netstat -tulpn | grep ':443'
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:
# ufw allow proto tcp from any to 74.86.26.69 port 443
Type the following url in your browser:
https://www.cyberciti.biz

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/

https://www.cyberciti.biz/faq/how-to-configure-lighttpd-web-server-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now