8000 GitHub - carlbodin/ssl-cert: Create an SSL certificate for a lighttpd webserver using Let's Encrypt.
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

carlbodin/ssl-cert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

SSL Certification using Let's Encrypt

A small guide using certbot to apply for an SSL certificate for a lighttpd web server.

Prerequisites

  1. IP or domain name points directly to web server.
  2. Router forward ports 80 and 443 to your web server host.
  3. Web server listens on ports 80 and 443, and handles requests from the domains you apply SSL cert for.

Certification

Install certbot.

sudo apt update
sudo apt install certbot

Generate a certificate for the specific domain, replace YOUR_DOMAIN. Note, this command only obtains a certificate. It does not configure web server automatically nor setup automatic renewal of certificates.

sudo certbot certonly --webroot -w /var/www/html -d YOUR_DOMAIN

The next two blocks assume lighttpd as web server. If you use something else, e.g., nginx or apache, you are on your own here.

To setup the certification for lighttpd manually, edit the following config file.

sudo nano /etc/lighttpd/lighttpd.conf

Add this block of text to the bottom of the file. Replace YOUR_DOMAIN with your domain in text, e.g., example.com.

$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem"
    ssl.privkey = "/etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem"
    ssl.ca-file = "/etc/letsencrypt/live/YOUR_DOMAIN/chain.pem"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.honor-cipher-order = "enable"
}

Check the expiration date of certificates.

sudo certbot certificates

Renewal

The Let's Encrypt certificates are valid for 90 days. To renew all certificates, run this.

sudo certbot renew  # use flag --dry-run to check what would happen

By default, certbot considers certificates eligible for renewal when they are within 30 days of their expiration date. But you can always force renewal despite longer expiry times.

sudo certbot renew --force-renewal

Restart the lighttpd process for changes to take effect.

sudo systemctl restart lighttpd

Optional: Do both above at once you can run with the --deploy-hook option.

sudo certbot renew --deploy-hook "systemctl reload lighttpd"

Tip: Setup auto renewal

The installation should create a systemd timer called certbot.timer.

sudo systemctl list-timers

If there is none, use systemd to set a timer. Check result afterwards.

sudo systemctl enable --now certbot.timer
sudo systemctl list-timers

Alternatively, crontab to set a cron job. Edit the root user's crontab to avoid job password prompts.

sudo crontab -e

Add this line to the bottom of the file.

0 4 * * 0 certbot renew --quiet --deploy-hook "systemctl reload lighttpd"

Save it and check results.

sudo crontab -l

About

Create an SSL certificate for a lighttpd webserver using Let's Encrypt.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published
0