Setting up an ssl certificate

For future reference I'll document how I setup a free letsencrypt ssl cert with autorenewal for the site using certbot and lighttpd with the mod_proxy module.

Steps ...

Install certbot

# apk add certbot

Configure lighttpd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

server.module += ( "mod_redirect", "mod_proxy", "mod_openssl" )

# Upgrade http to https
$HTTP["scheme"] == "http" {
        url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}

# Listen on port 443
$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/<domain>/lighttpd.pem"
        ssl.ca-file = "/etc/letsencrypt/live/<domain>/chain.pem"
}

# This is needed to pass the certbot test
if $HTTP["url"] !~ "^/\.well-known" {
        proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 1234 ) ) )
}

Generate a certificate

# certbot certonly -v -n --webroot --webroot-path /var/www/localhost/htdocs/ -d <domain> --agree-tos --email <email>

Concatenate the private and cert files

# cd /etc/letsencrypt/live/<domain>

# cat privkey.pem cert.pem > lighttpd.pem

Setup autorenewal

# SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}')

# echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | tee -a /etc/crontab > /dev/null

Restart lighttpd

# service restart lighttpd

References

https://redmine.lighttpd.net/projects/lighttpd/wiki#Documentation

https://slavik.svyrydiuk.eu/letsencrypt-and-lighttpd.html

https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal