NickTheGreek 160 Report post Posted March 13, 2017 Iread your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04 LTS or Debian Linux 8.x server?Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score. Our sample setup Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux Default Lighttpd config file : /etc/lighttpd/lighttpd.conf Default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/ Lighttpd DocumentRoot (root) path : /var/www/html/ Lighttpd TLS/SSL Port: 443 Our sample domain: www.cyberciti.biz Dedicated public IP: 74.86.26.69 Step 1 – Install acme.sh client Type the following apt-get command/apt command:$ sudo apt-get install git bc wget curl Sample outputs: Fig.02: Install git and bc on Ubuntu/Debian Linux Step 2 – Clone repo Type the following commands:$ cd /tmp $ git clone https://github.com/Neilpang/acme.sh.git $ sudo -i # cd /tmp/acme.sh/ # ./acme.sh --install Sample outputs: Fig.03: Clone the acme.sh client using git Rest of all command need to be type as root user. Become root user:$ sudo -i Step 3 – Create /.well-known/acme-challenge/ directory Type the following command (set D to actual server.document-root path as per your setup):# D=/var/www/html # mkdir -vp ${D}/.well-known/acme-challenge/ ###---[ NOTE: Adjust permission as per your setup ]---### # chown -R www-data:www-data ${D}/.well-known/acme-challenge/ # chmod -R 0555 ${D}/.well-known/acme-challenge/ Step 4 – Create directory to store SSL certificate Type the following mkdir command:# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/ Step 5 – Create your dhparam.pem file Type the following command to create a strong Diffie-Hellman (DH) group file:# cd /etc/lighttpd/ssl/cyberciti.biz/ # openssl dhparam -out dhparam.pem -dsaparam 4096 Sample outputs: Step 6 – Issue a certificate for your domain The syntax is:acme.sh --issue -w /server.document-root-path/ -d www.example.com acme.sh --issue -w /var/www/html/ -d example.com -k 2048 To issue a certificate for www.cyberciti.biz, enter:# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096 Sample outputs: Fig.04: Issue a certificate Step 7 – Enable ssl for Lighttpd Type the following command:# lighttpd-enable-mod sslEnabling ssl: ok Run /etc/init.d/lighttpd force-reload to enable changes Step 8 – Lighttpd SSL Configuration Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:# vi /etc/lighttpd/conf-enabled/10-ssl.conf Update it as follows: # turn on ssl # $SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" ssl.disable-client-renegotiation = "enable" ssl.pemfile = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem" ssl.ca-file = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer" ssl.dh-file = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem" # ECDH/ECDHE ciphers curve strength ssl.ec-curve = "secp384r1" ssl.use-compression = "disable" # Environment flag for HTTPS enabled setenv.add-environment = ( "HTTPS" => "on" ) ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" # HSTS(15768000 seconds = 6 months) setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000;" ) } Save and close the file. Step 9 – Install the issued certificate for Lighttpd web server First create a hook for lighttpd ssl.pem file as follows:# vi /root/.acme.sh/www.cyberciti.biz/hook.sh Append the following script: #!/bin/bash dom="www.cyberciti.biz" #your domain name dest="/etc/lighttpd/ssl/cyberciti.biz" #lighttpd ssl path root croot="/root/.acme.sh/${dom}" #acme.sh root path for your domain ### NO edit below ### sslfile="${dest}/ssl.pem" #lighttpd .pem file path certfile="${croot}/${dom}.cer" #lighttpd certficate file path keyfile="${croot}/${dom}.key" #lighttpd key file path echo "Running lighttpd cmd..." /bin/cat "${certfile}" "${keyfile}" > "${sslfile}" /bin/systemctl restart lighttpd Save and close the file. Set executable permissions:# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:# acme.sh --installcert -d www.cyberciti.biz \ --capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \ --reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh' Sample outputs: Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer [Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh Running lighttpd cmd... [Sun Mar 12 19:51:30 UTC 2017] Reload success Step 10 – Test it Verify that lighttpd running on port 443# netstat -tulpn | grep ':443'tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd Step 11 – Open port 443 using ufw firewall Type the following ufw command to open port 443:# ufw allow proto tcp from any to 74.86.26.69 port 443 Type the following url in your browser:https://www.cyberciti.biz How do I renew a certificate? # acme.sh --renew -d www.cyberciti.biz How do I upgrade acme.sh client? # acme.sh --upgrade A note about cron job A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part): 33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/ https://www.cyberciti.biz/faq/how-to-configure-lighttpd-web-server-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/ Quote Share this post Link to post Share on other sites
