self signed sertificate

Yes files are not present by default, they are generated by dietpi-letsencrypt. That’s why I posted both files and it’s content.

I don’t think software is really there for DNSSEC or DoT to run on most DNS clients

Modern web browser allow to configure DoT and/or DoH inside their configuration (independent from client).

Thanks for the input, but i can not get it worked. I think i understand the my scenario now a bit better.
So now the major problem as i see, that because of getting lost with running certbot, i have reached the limit of certificates. So correct me if i am wrong, now at least i must have at least valid one for my domain. But everytime i am running dietpi-launcher then dietpi-DDNS then dietpi-letsencrypt and certbot, it tries to download a brand new certificate but for some reason it is not applied. Then i saw in the debug log it has crteated several copy of my domin like “domain-001.cert” and “domain-002.cert” beside the "domain.cert. I have removed all tried agian but since i reached my limit no success.
My question is the following. Since certificate has been issued for my domain what is the way to download this and apply for my dietpi nextcloud?

My question is the following. Since certificate has been issued for my domain what is the way to download this

Probably a misunderstanding. Certificates are not stored centrally. They are generated directly on your system at runtime. If you delete them, they are gone.

If you have issues to create certificates, you would need to check the log why this failed.
If certificates are created successfully but still HTTPS is not working, web server log/config to be checked.

In general it’s better to move certificates into another folder to have them safely stored, before removing them completely.

thanks, i understand. The situation was created right at the time when dietpi needed to be updated and i forgot to renew the invalid certificate. Probably that is what messed up my system. My question may have not been clear: i have found those certificates in my system, but for some reason they were not automatically applied. In case this happens again, what is the way to apply the valid certificate that can anyway be found in my system and let certbot use it to apply?
Actually what i did now that in noip i have changed the domain name and run a certbot again. Now it works. Changing the domain was not an issue since i am the only one using it.

usually certificates are updated automatically by certbot.

If you need to change certificates manually, you can adjust https config located in /etc/lighttpd/conf-available

Thanks for the all input!

Please somebody elaborate how to make self signed ssl certificate, if i use this example what changes i have to make for making a selfsigned certificate for dietpi installed plex, adguard home & home assistant.

pnCert=/etc/lighttpd/ssl/pihole.example.com
fnCert=$pnCert/combined.pem

mkdir -p $pnCert
openssl req -new -x509 -newkey rsa:4096 -keyout $fnCert -out $fnCert -days 365 -nodes -subj "myDeets"
chown www-data:www-data $fnCert
chown www-data -R $pnCert
chmod 0600 $fnCert

systemctl restart lighttpd.service

i mostly understand all commands, only lighttpd portion is confusing as i donot know it is applicable to me or not.
I have two dietpi machines which resolved by unbound like nuc.local & rpi.local . i do not want to access system externally so not want to open port 80, 443 from router. i need only local lan access. my dietpi machines having following software installed
rpi.local >> homeassistant & bitwarden_RS (default ssl working)
nuc.local>> plex & adguard home.
I want same bitwarden rs type self signed certificate for plex, homeasssitant & adguard.
thanks

Plex, AdGuard Home as well as Home Assistant running there own web server. Therefore you don’t need to take care on any Lighttpd configration. You simply need to create the certificate. However I don’t see any benefit on having self signed certificate on a local network.

Do these instructions still apply?

I had an SD card crap out. While recreating this setup I am having new troubles. Diet-Pi v7.8.2, Raspberry Pi 4 Model B.

When I run lighty-enable-mod dietpi-https then restart lighttpd, lighttpd errors. The https redirect is enabled without error. external.conf and lighttpd.conf are modified, the cert is generated with correct permissions and ownership using the same script I posted earlier in this thread. lighttpd doesn’t error when dietpi-https is disabled, but obviously the webserver redirects to a page that can’t be served.

Here is the systemctl status.

● lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2021-12-06 15:02:52 EST; 6s ago
    Process: 49709 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=255/EXCEPTION)
        CPU: 447ms

Dec 06 15:02:52 diet systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Dec 06 15:02:52 diet systemd[1]: Stopped Lighttpd Daemon.
Dec 06 15:02:52 diet systemd[1]: lighttpd.service: Start request repeated too quickly.
Dec 06 15:02:52 diet systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Dec 06 15:02:52 diet systemd[1]: Failed to start Lighttpd Daemon.

Edit: Note that I removed the ca-file lines in external.conf and 50-dietpi-https.conf because there is no CA for self-signed certs. I don’t think I mentioned that anywhere in this thread, but it is a helpful hint for people reading along.

You can verify the failed configuration as follow

/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
# /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2021-12-06 15:14:18: plugin.c.195) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so /usr/lib/lighttpd/mod_openssl.so: cannot open shared object file: No such file or directory
2021-12-06 15:14:18: server.c.1238) loading plugins finally failed

It looks like the openssl module for lighttpd is missing.


Edit: upon searching I found this solution that works for me:

# apt install lighttpd-mod-openssl

https://dietpi.com/forum/t/enabling-ssl-for-internal-network/5861/9


Now I get a 400 Bad Request response when going to the /admin webpage in a browser. I’ll poke around the settings more.

Can you open the default site on the web server without any sub folder?

Yes. It returns the lighttpd placeholder page. I remember in the past this used to have some landing page.

Here is the contents of /etc/lighttpd/conf-enabled.

10-fastcgi.conf
15-fastcgi-php.conf
50-dietpi-https.conf
98-dietpi-https_redirect.conf
99-dietpi-pihole-block_public_admin.conf
99-dietpi-pihole.conf
99-unconfigured.conf

Also, I can confirm pihole is installing and running.

# pihole status
  [✓] DNS service is listening
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

pihole status is displaying the status of your AdBlocker. It has nothing to do with the web gui shown via web server. PiHole core is working even without web server totally fine :wink:

can you check following

ls -la /var/www/
cat /etc/lighttpd/lighttpd.conf
# ls -la /var/www/
total 132
drwxr-xr-x  3 root root  4096 Nov 30 21:32 .
drwxr-xr-x 12 root root  4096 Nov 30 00:22 ..
lrwxrwxrwx  1 root root    19 Nov 30 21:32 admin -> /var/www/html/admin
-rw-r--r--  1 root root 38294 Nov 30 21:28 apc.php
drwxr-xr-x  4 root root  4096 Nov 30 21:30 html
-rw-r--r--  1 root root  3388 Nov 30 00:24 index.lighttpd.html
-rw-r--r--  1 root root 71038 Nov 30 21:28 opcache.php
-rw-r--r--  1 root root    20 Nov 30 21:28 phpinfo.php
lrwxrwxrwx  1 root root    20 Nov 30 21:32 pihole -> /var/www/html/pihole



# cat /etc/lighttpd/lighttpd.conf
server.modules = (
        "mod_indexfile",
        "mod_setenv",
        "mod_access",
        "mod_alias",
        "mod_redirect",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
        "mod_dirlisting",
        "mod_staticfile",
)

Did I bork lighttpd.conf along the way? I’ll try an uninstall/reinstall of pi-hole and LLSP.

did you tried to use a different browser or to clear cache / cookies?

I started from scratch and observed the same behavior. It is indeed a cached page. When browsing the page from a private tab I get a page not found error from the browser for both the base page and /admin.

is the web server working in a standard setup, without the modifications on SSL?

Yes. When the dietpi-https and dietpi-https_redirect are disabled and external.conf removed the /admin interface works as expected.

Edit: The strangest thing. I undid the changes in order to go back to https and everything now works as expected.

hmm maybe some typo or config issue on one of the files you adjusted?