Posted on Wed 01 April 2020
In Общие вопросы.
tags: setup lighttpd ssl certbot
Let’s Encrypt is a Certificate Authority (CA) that issues free SSL/TLS certificates. Lighttpd is a lightweight webserver that runs on low resources. Let’s Encrypt SSL certificates can easily be installed on a Lighttpd server using Certbot, a software client that automates most of the process of obtaining the certificates.
This tutorial assumes that you have already created a Vultr Cloud Compute instance with Lighttpd installed on Ubuntu 16.04, have a domain name pointing to your server, and have logged in as root. Step One: Install Certbot
The first step is to install Certbot. Add the Certbot repository. Press Enter when prompted for confirmation.
sudo add-apt-repository ppa:certbot/certbot
Install Certbot.
sudo apt-get update
sudo apt-get install certbot
Step Two: Obtain SSL Certificate
Once Certbot is installed, you can obtain an SSL certificate. Run the following command, replacing example.com with your own domain name:
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
Continue through the interactive installer.
Step Three: Setup Certificate Files for use with Lighttpd
Certbot will place the obtained certificate files in /etc/letsencrypt/live/example.com. You will need to grant the Lighttpd user access to this directory.
chown :www-data /etc/letsencrypt
chown :www-data /etc/letsencrypt/live
chmod g+x /etc/letsencrypt
chmod g+x /etc/letsencrypt/live
Lighttpd requires the certificate and private key to be in a single file. You will need to combine the two files. Run the following command, replacing example.com with your own domain name.
sudo bash -c "cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/merged.pem"
The privkey.pem and cert.pem files will be combined and saved as merged.pem.
Step Four: Configure Lighttpd
Once your certificate files are ready, you can go on and configure Lighttpd to use the SSL certificate. Open the Lighttpd configuration file for editing.
sudo nano /etc/lighttpd/lighttpd.conf
Add the following block at the end of the file, replacing example.com with your own domain name,
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/example.com/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/example.com/merged.pem"
}
Step Five: Force SSL Usage
For added security, you can force your Lighttpd server to route all HTTP requests to HTTPS. Open the lighttpd.conf file for editing.
sudo nano /etc/lighttpd/lighttpd.conf
Add the following block at the end of the file,
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
You will need to restart the Lighttpd sever for the changes to take effect.
sudo systemctl restart lighttpd
Renewing the SSL Certificate
Let's Encrypt issues SSL certificates with a validity of 90 days. You will need to renew your certificate before it expires to avoid certificate errors. You can renew the certificate with Certbot.
sudo certbot renew
You will need to combine the certificate and private key for Lighttpd. Run the following command, replacing example.com with your domain name.
sudo bash -c "cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/merged.pem"
Your certificate will renewed for another 90 days.