OUTDATED: This tutorial is outdated. Lighttpd is now natively supported by DietPi-LetsEncrypt, no manual adjustments are needed anymore. Nevertheless many thanks aar0nism for writing this, which helped users much until now .
Edit by: MichaIng
DISCLAIMER: Most all of this is just copied from other websites and I am just compiling the needed steps for this particular setup.
This will work even if you are just using lighttpd and not owncloud by just doing the steps for lighttpd and lets encrypt. I just happened to want to use it with owncloud.
Also this will work to setup SSL on lighttpd even without Lets Encrypt just follow the same steps for lighttpd and point at the cert files you get from your CA.
This tutorial assumes you already installed owncloud(or just lighttpd) through the dietpi-software installer script(if you have not then you can run it now and install it).
Pre-Reqs
If you are using a home router like most people you will need to google how to forward ports on your router. You will need to forward port 80 and 443 to your machine running lighttpd.
https://encrypted.google.com/search?hl=en&q=how%20to%20forward%20ports%20on%20<insert%20router%20model>
LetsEncrypt
Since the dietpi-letsencrypt only supports Apache, it will not work for our purposes as of the time of writing this. You will need to get the standalone client from the certbot website like below:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
“certbot-auto accepts the same flags as certbot”
You will need to run this using the webroot plugin since you are using lighttpd.
Run this command to generate the cert:
./path/to/certbot-auto certonly --webroot -w /var/www/example -d www.example.com
Replace /var/www/example with the root directory of lighttpd. Replace http://www.example.com with your domain. NOTE: You can specify multiple -w and -d.
Now that the cert is generated we need to combine the key and the cert.
cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem
lighttpd
Next we need to tell lighttpd where to find the cert and enable TLS.
touch /etc/lighttpd/conf-enabled/letsencrypt.conf
nano /etc/lightttpd/conf-enabled/letsencrypt.conf
Paste the following in the above file:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/www.example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/www.example.com/fullchain.pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
This will also disable SSL and you can set whatever cipher list you want.
Next reload the lighttpd config.
/etc/init.d/lighttpd force-reload
Automate renewal of Cert
If you do not have a cron/systemd script to renew the certificate it will expire in 90 days. If we dont renew the cert will expire and we dont want this to happen since it will render our owncloud unusable on https.
I am just using an example script I found on one of my sources at the bottom, I am sure there are a bunch of examples on the net.
First test if auto renewal will work:
./path/to/certbot-auto renew --dry-run
If this works then you should be OK to setup a script.
touch /etc/cron.weekly/letsencrypt
chmod +x /etc/cron.weekly/letsencrypt
nano /etc/cron.weekly/letsencrypt
Paste the following into the file:
# Renew cert
# put the path to certbot-auto here
#letsencrypt renew
/path/to/certbot-auto renew
# Rebuild the cert
cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem
# Reload
/etc/init.d/lighttpd force-reload
This sets the script to run on a weekly basis. I believe Lets Encrypt suggests it to run twice a day so that is completely possible by a custom cron job or you can do once a day by changing weekly to daily.
Setup HTTP to HTTPS Redirect
Now that we have TLS setup we should redirect all requests on port 80 to 443 so that we force the use of https.
This can be accomplished with a simple file you put into /etc/lighttpd/conf-enabled.
nano /etc/lighttpd/conf-enabled/redirect.conf
Paste this into the file:
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
Next reload the lighttpd config for the change to take place and test by going to http://www.example.com and see if it redirects to https://www.example.com
/etc/init.d/lighttpd force-reload
OwnCloud
If you are not using OwnCloud you can skip this step.
If you are the admin on the owncloud server you can usually just go to the owncloud directory on your server(http://example.com/owncloud) and it will ask if you want to add your new domain as a trusted domain and in a perfect world you can click the button to add it.
If this doesnt work you can do it the manual way like so(replace path to owncloud directory with yours):
nano /var/www/owncloud/config/config.php
Find the trusted_domains parameter and add ‘www.example.com’ in the list and dont forget the comma.
'trusted_domains' =>
array (
0 => '127.0.0.1',
1 => 'www.example.com',
),
That should be it. If you have any suggestions or find any typos let me know.
Sources(I am not affiliated with any sites listed):
https://blog.dantup.com/2016/03/installing-lighttpd-php7-and-letsencrypt-on-raspberry-pi-raspbian-jessie-lite/
https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL
https://certbot.eff.org/#pip-other
https://certbot.eff.org/#debianjessie-other
https://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps