Lighttpd fails after renewing letsencrypt

Creating a bug report/issue

Required Information

  • DietPi version | cat /boot/dietpi/.version
    G_DIETPI_VERSION_CORE=8
    G_DIETPI_VERSION_SUB=20
    G_DIETPI_VERSION_RC=1
    G_GITBRANCH=‘master’
    G_GITOWNER=‘MichaIng’

  • Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
    buster 1

  • Kernel version | uname -a
    Linux DietPi-RasPi3 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux

  • Architecture | dpkg --print-architecture
    armhf

  • SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)
    RPi 3 Model B (armv7l)

  • Power supply used | (EG: 5V 1A RAVpower)
    NoName

  • SD card used | (EG: SanDisk ultra)
    Bootable USB-SSD

Additional Information (if applicable)

  • Software title | (EG: Nextcloud)
    lighttpd/1.4.53 (ssl)
    Nextcloud

Steps to reproduce

  1. I successfully updated from v8.19.1 to v8.20.1 with no errors —> “reboot”
  2. Renewed the SSL-certificate like a dozent times before —> “dietpi-letsencrypt” —> Ended with:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[  OK  ] DietPi-LetsEncrypt | Desired setting in /etc/lighttpd/lighttpd.conf was already set:   "mod_setenv",
[FAILED] DietPi-LetsEncrypt | systemctl restart lighttpd

Expected behaviour

  • Lighttpd should start to make Nextcloud accessable.

Actual behaviour

  • Lighttpd does not start.

Extra details

  • “systemctl status lighttpd.service” reports this:
● lighttpd.service - Lighttpd Daemon
   Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/lighttpd.service.d
           └─dietpi.conf
   Active: failed (Result: exit-code) since Sun 2023-07-30 15:10:59 CEST; 20s ago

Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: lighttpd.service: Service RestartSec=100ms expired, scheduling restart.
Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: Stopped Lighttpd Daemon.
Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: lighttpd.service: Start request repeated too quickly.
Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Jul 30 15:10:59 DietPi-RasPi3 systemd[1]: Failed to start Lighttpd Daemon.

What do I have to do to make Lighttpd running again to access my Nextcloud again?

Thanx in advance,
Lelo

I guess it is dietpi-letsencrypt, right?

Can you share following

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf

Yes, “dietpi-letsencrypt” of course - I updated my post.Sorry.

 /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
Error: duplicate array-key: Options. Please get rid of the duplicate entry.
2023-07-30 17:43:23: (configfile.c.1296) source: /etc/lighttpd/conf-enabled/50-dietpi-https.conf line: 18 pos: 17 parser failed somehow near here: (COMMA)
2023-07-30 17:43:23: (configfile.c.1296) source: /etc/lighttpd/lighttpd.conf line: 48 pos: 15 parser failed somehow near here: (EOL)

can you share

cat /etc/lighttpd/lighttpd.conf
1 Like
cat /etc/lighttpd/lighttpd.conf
server.modules = (
        "mod_indexfile",
        "mod_setenv",
        "mod_access",
        "mod_alias",
        "mod_redirect",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "disable",# default
  "host-strict"             => "disable",# default
  "host-normalize"          => "disable",# default
  "url-normalize-unreserved"=> "disable",# recommended highly
  "url-normalize-required"  => "disable",# recommended
  "url-ctrls-reject"        => "disable",# recommended
  "url-path-2f-decode"      => "disable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "disable",
  "url-path-dotseg-remove"  => "disable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "disable",
 #"url-query-20-plus"       => "disable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
        "mod_compress",
        "mod_dirlisting",
        "mod_staticfile",
)

This is because of my PR, we changed some things in /etc/lighttpd/conf-available/50-dietpi-https.conf, but I made a mistake and now there are two options lines, which lighttpd does not like.
We can delete the “sessionticket” option, recommendation is to use only the -ServerPreference, see: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Perfect-Forward-Secrecy-PFS.

Note also, that there are two entries in this file, on for IPv4, around line 16, and one for IPv6 around line 33.

The problem now is, you can change this lines in /etc/lighttpd/conf-available/50-dietpi-https.conf but when you run dietpi-letsencrypt the file gets newly generated by the script, so we have to edit the script itself for now.

workaround:

sed -i '/"Options" => "-SessionTicket",/d' /boot/dietpi/dietpi-letsencrypt
sed -i '/"Options" => "-SessionTicket",/d' /etc/lighttpd/conf-available/50-dietpi-https.conf

After that you can re-run dietpi-letsencrypt.

edit: PR is out, apologies for the inconvenience

4 Likes

That workaround solved my problem. Thanx to Jappe & Joulinar for their help! :+1:

2 Likes

I merged a live patch to fix it within the dietpi-letsencrypt script: Live patch 0 | Fix DietPi-LetsEncrypt SSL config for Lighttpd by MichaIng · Pull Request #6522 · MichaIng/DietPi · GitHub