[OUTDATED!!][Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

OUTDATED: This tutorial is outdated. Lighttpd is now natively supported by DietPi-LetsEncrypt, no manual adjustments are needed anymore. Nevertheless many thanks aar0nism for writing this, which helped users much until now :slight_smile:.
Edit by: MichaIng

DISCLAIMER: Most all of this is just copied from other websites and I am just compiling the needed steps for this particular setup.

This will work even if you are just using lighttpd and not owncloud by just doing the steps for lighttpd and lets encrypt. I just happened to want to use it with owncloud.
Also this will work to setup SSL on lighttpd even without Lets Encrypt just follow the same steps for lighttpd and point at the cert files you get from your CA.

This tutorial assumes you already installed owncloud(or just lighttpd) through the dietpi-software installer script(if you have not then you can run it now and install it).

If you are using a home router like most people you will need to google how to forward ports on your router. You will need to forward port 80 and 443 to your machine running lighttpd.

Since the dietpi-letsencrypt only supports Apache, it will not work for our purposes as of the time of writing this. You will need to get the standalone client from the certbot website like below:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

“certbot-auto accepts the same flags as certbot”

You will need to run this using the webroot plugin since you are using lighttpd.
Run this command to generate the cert:

./path/to/certbot-auto certonly --webroot -w /var/www/example -d www.example.com

Replace /var/www/example with the root directory of lighttpd. Replace http://www.example.com with your domain. NOTE: You can specify multiple -w and -d.

Now that the cert is generated we need to combine the key and the cert.

cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem

Next we need to tell lighttpd where to find the cert and enable TLS.

touch /etc/lighttpd/conf-enabled/letsencrypt.conf
nano /etc/lightttpd/conf-enabled/letsencrypt.conf

Paste the following in the above file:

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/www.example.com/combined.pem"
        ssl.ca-file =  "/etc/letsencrypt/live/www.example.com/fullchain.pem"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"

This will also disable SSL and you can set whatever cipher list you want.

Next reload the lighttpd config.

/etc/init.d/lighttpd force-reload

Automate renewal of Cert
If you do not have a cron/systemd script to renew the certificate it will expire in 90 days. If we dont renew the cert will expire and we dont want this to happen since it will render our owncloud unusable on https.
I am just using an example script I found on one of my sources at the bottom, I am sure there are a bunch of examples on the net.
First test if auto renewal will work:

./path/to/certbot-auto renew --dry-run

If this works then you should be OK to setup a script.

touch /etc/cron.weekly/letsencrypt
chmod +x /etc/cron.weekly/letsencrypt
nano /etc/cron.weekly/letsencrypt

Paste the following into the file:

# Renew cert
# put the path to certbot-auto here
#letsencrypt renew
/path/to/certbot-auto renew

# Rebuild the cert
cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem

# Reload
/etc/init.d/lighttpd force-reload

This sets the script to run on a weekly basis. I believe Lets Encrypt suggests it to run twice a day so that is completely possible by a custom cron job or you can do once a day by changing weekly to daily.

Setup HTTP to HTTPS Redirect
Now that we have TLS setup we should redirect all requests on port 80 to 443 so that we force the use of https.
This can be accomplished with a simple file you put into /etc/lighttpd/conf-enabled.

nano /etc/lighttpd/conf-enabled/redirect.conf

Paste this into the file:

$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")

Next reload the lighttpd config for the change to take place and test by going to http://www.example.com and see if it redirects to https://www.example.com

/etc/init.d/lighttpd force-reload

If you are not using OwnCloud you can skip this step.
If you are the admin on the owncloud server you can usually just go to the owncloud directory on your server(http://example.com/owncloud) and it will ask if you want to add your new domain as a trusted domain and in a perfect world you can click the button to add it.
If this doesnt work you can do it the manual way like so(replace path to owncloud directory with yours):

nano /var/www/owncloud/config/config.php

Find the trusted_domains parameter and add ‘www.example.com’ in the list and dont forget the comma.

'trusted_domains' =>
  array (
    0 => '',
    1 => 'www.example.com',

That should be it. If you have any suggestions or find any typos let me know.

Sources(I am not affiliated with any sites listed):

Great post, thanks for sharing.

I’ll have to revisit Letsencrypt and lighttpd using your guide. Hopefully we can remove that apache2 lock :slight_smile: https://github.com/Fourdee/DietPi/issues/479

Thanks Fourdee, I hope it helps someone.

I have updated the post to include a simple redirect from http(80) to https(443).

Great post - I am using the http → https section - wish I’d known this earlier.

Lighttpd support for letsencrypt, based on aar0nism’s excellent post is now in testing stage.

It works for me, but could do with additional testing from our users:

Hi Expert,
Have Tutorial for Setup LetsEncrypt/SSL and NextCloud/WordPress/Webmin on same Nginx?

I wish that can support these service as below in same nginx server.

https://mydomain:10000 <==webmin or https://mydomain/webmin


Finally time to renew. I fixed the update script in case anyone who used this needs it. I forgot to specify the full path to certbot-auto since it is not installed to bin folder or in the path. Although the command works great when firewall and nat rules are setup :slight_smile: