Ssl failing after successful manual certbot renew

I have installed letsencrypt through dietpi software and successfully renewed the cert many times now in the past.

This time though after the successful renew, ssl is failing and i am getting this from the lighttpd:

systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/lighttpd.service.d
             └─dietpi.conf
     Active: active (running) since Sat 2025-01-11 03:02:05 EET; 14min ago
    Process: 1676 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 1681 (lighttpd)
      Tasks: 1 (limit: 2197)
        CPU: 1.091s
     CGroup: /system.slice/lighttpd.service
             └─1681 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 03:02:05 pi lighttpd[1676]: 2025-01-11 03:02:05: (configfile.c.1289) WARNING: unknown config-key: dir-listing.activate (ignored)
Jan 11 03:02:05 pi systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Jan 11 03:02:06 pi lighttpd[1681]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 03:02:06 pi lighttpd[1681]: 2025-01-11 03:02:05: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.

I am doing manual renews cause i need to temporary open the ports 80 and 443 to pass the challenges.
hsts is enabled.

(I am on DietPi v9.9.0 on a RPi 4 Model B (aarch64) with rpi-eeprom kept back #7222 and running just pi-hole and nextcloud with lighttpd)

Any help would be greatly appreciated, thank you.

this is not applicable anymore and rpi-eeprom can be installed without issue.

can you share following

cat /etc/lighttpd/conf-enabled/50-dietpi-https.conf

here it is:

cat /etc/lighttpd/conf-enabled/50-dietpi-https.conf
# Based on: https://ssl-config.mozilla.org/#server=lighttpd
server.modules += ( "mod_openssl" )
# IPv4
$SERVER["socket"] == ":443" {
        protocol = "https://"
        ssl.engine = "enable"

        # pemfile is cert+privkey, ca-file is the intermediate chain in one file
        ssl.pemfile = "/etc/letsencrypt/live/hidingmydomainforforumpost/combined.pem"
        ssl.ca-file = "/etc/letsencrypt/live/hidingmydomainforforumpost/fullchain.pem"

        # For DH/DHE ciphers, dhparam should be >= 2048-bit
        #ssl.dh-file = "/path/to/dhparam.pem"
        # ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
        ssl.ec-curve = "secp384r1"

        # Environment flag for HTTPS enabled
        setenv.add-environment = ( "HTTPS" => "on" )

        # Intermediate configuration, tweak to your needs
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
        ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        ssl.honor-cipher-order = "disable"
        ssl.disable-client-renegotiation = "enable"
}
# IPv6
$SERVER["socket"] == "[::]:443" {
        protocol = "https://"
        ssl.engine = "enable"

        # pemfile is cert+privkey, ca-file is the intermediate chain in one file
        ssl.pemfile = "/etc/letsencrypt/live/hidingmydomainforforumpost/combined.pem"
        ssl.ca-file = "/etc/letsencrypt/live/hidingmydomainforforumpost/fullchain.pem"

        # For DH/DHE ciphers, dhparam should be >= 2048-bit
        #ssl.dh-file = "/path/to/dhparam.pem"
        # ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
        ssl.ec-curve = "secp384r1"

        # Environment flag for HTTPS enabled
        setenv.add-environment = ( "HTTPS" => "on" )

        # Intermediate configuration, tweak to your needs
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
        ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        ssl.honor-cipher-order = "disable"
        ssl.disable-client-renegotiation = "enable"
}

also my dietpi-letsencrypt settings are with redirect-hsts-ocsp on and key size at 4096, if it helps.

the ssl.honor-cipher-order = “disable” kinda worries me now that i see it.

hmm quite some differences to our current standard

Did you adjusted settings manually? Because some of the changes to our current config are years old.

One example: Your config has ssl.ca-file while we use ssl.privkey now (since 4 years).
As well ssl.honor-cipher-order has been removed on DietPi 8.2 Update dietpi-letsencrypt, since the upgrade to bookworm Lighttpd is now … by JappeHallunken · Pull Request #6481 · MichaIng/DietPi · GitHub

Unfortunately the troubleshooting template has not been filled. What Debian version your running on?

#### Required 
- DietPi version | `cat /boot/dietpi/.version`
- Distro version | `echo $G_DISTRO_NAME $G_RASPBIAN`
- Kernel version | `uname -a`
- Architecture | `dpkg --print-architecture`
cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=9
G_DIETPI_VERSION_SUB=9
G_DIETPI_VERSION_RC=0
G_GITBRANCH='master'
G_GITOWNER='MichaIng'
G_LIVE_PATCH_STATUS[0]='applied'
G_LIVE_PATCH_STATUS[1]='not applicable'
G_LIVE_PATCH_STATUS[2]='not applicable'
G_LIVE_PATCH_STATUS[3]='not applicable'
echo $G_DISTRO_NAME $G_RASPBIAN
bookworm 0
uname -a
Linux pi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux
dpkg --print-architecture
arm64

This system was original set up on Bullseye and i did a manual upgrade to Bookworm so i guess the first cert was set 2021. Haven’t adjusted any settings ever.

Hmm the funny thing is that i updated rpi-eeprom and rebooted. I got an OCSP error instead of SSL when tested to open the pihole website for a moment, but now everything works normally.

Though lighttpd.service still not happy for my configuration:

systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/lighttpd.service.d
             └─dietpi.conf
     Active: active (running) since Sat 2025-01-11 12:19:38 EET; 59min ago
    Process: 616 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 642 (lighttpd)
      Tasks: 1 (limit: 2197)
        CPU: 11.142s
     CGroup: /system.slice/lighttpd.service
             └─642 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.ec-curve (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
Jan 11 12:19:38 pi lighttpd[616]: 2025-01-11 12:19:38: (configfile.c.1289) WARNING: unknown config-key: dir-listing.activate (ignored)
Jan 11 12:19:38 pi systemd[1]: Started lighttpd.service - Lighttpd Daemon.
Jan 11 12:19:39 pi lighttpd[642]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.
Jan 11 12:19:39 pi lighttpd[642]: 2025-01-11 12:19:38: (mod_openssl.c.2548) ssl.cipher-list is deprecated.  Please prefer lighttpd secure TLS defaults, or use ssl.openssl.ssl-conf-cmd "CipherString" to set custom cipher list.

Should i delete and reconfigure dietpi-letsencrypt? If yes how to delete (clear) it from the system?

Did you already try rerunning dietpi-letsencrypt?? Usually, it should recreate these files.

Just did and it auto updated the key to “ECDSA” and seems everything to be back on track.

lighttpd service looks better:

systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/lighttpd.service.d
             └─dietpi.conf
     Active: active (running) since Sat 2025-01-11 14:48:42 EET; 7min ago
    Process: 4045 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
   Main PID: 4051 (lighttpd)
      Tasks: 1 (limit: 2197)
        CPU: 2.785s
     CGroup: /system.slice/lighttpd.service
             └─4051 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf

Jan 11 14:48:41 pi systemd[1]: Starting lighttpd.service - Lighttpd Daemon...
Jan 11 14:48:42 pi lighttpd[4045]: 2025-01-11 14:48:41: (configfile.c.1289) WARNING: unknown config-key: dir-listing.activate (ignored)
Jan 11 14:48:42 pi systemd[1]: Started lighttpd.service - Lighttpd Daemon.

and the 50-dietpi-https.conf has the current config you mentioned.

Thank you very much :heart: