How to configure Lighttpd web server with free Let’s Encrypt SSL certificate on Debian or U...

Datetime:2017-03-14 05:13:28         Topic: Lighttpd          Share        Original >>
Here to See The Original Article!!!

I read your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04 LTS or Debian Linux 8.x server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score

.

Our sample setup

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • Lighttpd DocumentRoot (root) path : /var/www/html/
  • Lighttpd TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP: 74.86.26.69

Step 1 – Install acme.sh client

Type the followingapt-get command/ apt command :

$ sudo apt-get install git bc wget curl

Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux

Step 2 – Clone repo

Type the following commands:

$ cd /tmp
 $ git clone https://github.com/Neilpang/acme.sh.git
 $ sudo -i
 #  cd /tmp/acme.sh/
 # ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git

Rest of all command need to be type as root user. Become root user:

$ sudo -i

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):

# D=/var/www/html
 # mkdir -vp ${D}/.well-known/acme-challenge/
 ###---[ NOTE: Adjust permission as per your setup ]---###
 # chown -R www-data:www-data ${D}/.well-known/acme-challenge/
 # chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:

# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:

# cd /etc/lighttpd/ssl/cyberciti.biz/
 # openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:

Generating DSA parameters, 4096 bit long prime
.....+..............+......+.+..........+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
+....................................+............+..........................+.+.....+.+.....+...........+..........+........+...+..+...+..+............+......+.....+....+......+......................................+..+.....+.+............+....+.+.+..+........+...+.............+..+........+++++++++++++++++++++++++++++++++++++++++++++++++++*

Step 6 – Issue a certificate for your domain

The syntax is:

acme.sh --issue -w /server.document-root-path/ -d www.example.com
 acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:

# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096

Sample outputs:

Fig.04: Issue a certificate

Step 7 – Enable ssl for Lighttpd

Type the following command:

# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:

# vi /etc/lighttpd/conf-enabled/10-ssl.conf

Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "0.0.0.0:443" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
 
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
 
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
 
	    ssl.use-compression     = "disable"
 
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    )
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"
	    )
	}

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:

# vi /root/.acme.sh/www.cyberciti.biz/hook.sh

Append the following script:

#!/bin/bash
dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
 
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:

# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh

Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:

# acme.sh --installcert -d www.cyberciti.biz \
 --capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
 --reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh' 

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443

# netstat -tulpn | grep ':443'
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:

# ufw allow proto tcp from any to 74.86.26.69 port 443

Type the following url in your browser:

https://www.cyberciti.biz

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too . This is installed by default as follows (no action required on your part):

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null







New