I have installed letsencrypt through dietpi software and successfully renewed the cert many times now in the past.
This time though after the successful renew, ssl is failing and i am getting this from the lighttpd:
systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/lighttpd.service.d
└─dietpi.conf
Active: active (running) since Sat 2025-01-11 03:02:05 EET; 14min ago
Process: 1676 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 1681 (lighttpd)
Tasks: 1 (limit: 2197)
CPU: 1.091s
CGroup: /system.slice/lighttpd.service
└─1681 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: dir-listing.activate (ignored)
Jan 11 03:02:05 pi systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Jan 11 03:02:06 pi lighttpd[1681]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:06 pi lighttpd[1681]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
I am doing manual renews cause i need to temporary open the ports 80 and 443 to pass the challenges.
hsts is enabled.
(I am on DietPi v9.9.0 on a RPi 4 Model B (aarch64) with rpi-eeprom kept back #7222 and running just pi-hole and nextcloud with lighttpd)
uname -a
Linux pi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
dpkg --print-architecture
arm64
This system was original set up on Bullseye and i did a manual upgrade to Bookworm so i guess the first cert was set 2021. Haven’t adjusted any settings ever.
Hmm the funny thing is that i updated rpi-eeprom and rebooted. I got an OCSP error instead of SSL when tested to open the pihole website for a moment, but now everything works normally.
Though lighttpd.service still not happy for my configuration:
systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/lighttpd.service.d
└─dietpi.conf
Active: active (running) since Sat 2025-01-11 12:19:38 EET; 59min ago
Process: 616 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 642 (lighttpd)
Tasks: 1 (limit: 2197)
CPU: 11.142s
CGroup: /system.slice/lighttpd.service
└─642 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: dir-listing.activate (ignored)
Jan 11 12:19:38 pi systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Jan 11 12:19:39 pi lighttpd[642]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:39 pi lighttpd[642]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated. Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Should i delete and reconfigure dietpi-letsencrypt? If yes how to delete (clear) it from the system?