lighttpd won't restart after failed letsencrypt

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
Tassman
Posts: 7
Joined: Sun Feb 18, 2018 4:00 pm

lighttpd won't restart after failed letsencrypt

Post by Tassman »

Hello team,

I am a total newbie to the world of linux and, first of all, I'd like to thank the whole team for making this world accessible to a non-techie like me with your great automizations !

I am building an Owncloud server on a Raspberry Pi. I managed to install and run OwnCloud.
Next step, I wanted to install an SSH certificate to force all transports with https and installed and launched dietpi-letsencrypt.

The certbot installation failed, certainly because my ReverseDNS is not active yet ; but that is not the point.

Everytime the dietpi-letsencrypt script fails, lighttpd refuses to restart.
It looks like the lighttpd.config file is still looking for something in the letsencrypt directory:

Code: Select all

SSL: BIO_read_filename('/etc/letsencrypt/live/xxxxxxxx.fr/combined.pem') failed

As I am not totally confident in my abilities to correct the config file myself, I have to go through a complete restore.

Can someone help me with this ? Thanks
Tassman
Posts: 7
Joined: Sun Feb 18, 2018 4:00 pm

Re: lighttpd won't restart after failed letsencrypt

Post by Tassman »

OK, I think I found a solution (maybe not the best ; let me know)
There is a folder which tells lighttpd which modules to load, and there the letsencrypt and redirect (as I checked the redirect option in dietpi-letsencrypt) modules are still there. I just renamed these files (I think they are just links) with a different extension :

Code: Select all

mv /etc/lighttpd/conf-enabled/letsencrypt.conf letsencrypt.conf.old
mv /etc/lighttpd/conf-enabled/redirect.conf redirect.conf.old
and restarted the services

Code: Select all

dietpi-services restart
Now lighttpd starts again
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: lighttpd won't restart after failed letsencrypt

Post by MichaIng »

Hi Tassman,

thanks for your report!
Seems to /etc/letsencrypt/live/xxxxxxxx.fr/combined.pem was not created or is not readable by Lighttpd. We made some rework during the last months or dietpi-letsencrypt, but I had not yet a closer too onto our Lighttpd implementation. I see I should have, as at for renewing the certificate, there need to be something done.

/etc/lighttpd/conf-enabled/letsencrypt.conf and /etc/lighttpd/conf-enabled/redirect.conf are created by our script as well, to include the certificate files and redirect http to https. If you remove/rename those files (to name without .conf in the end), then HTTPS will be just disabled for Lighttpd again, thus also errors in relation to it are gone ;).
Those file should be normally symlinks to conf-available, however we create them directly to conf-enabled (as for me, I would change that behaviour as well, for consistency reasons).

For further investigation:
- Does the combined file exist (this is created by our script manually, as for whatever reason still wanted like this by Lighttpd: ls -l /etc/letsencrypt/live/xxxxxxxx.fr/
- If not, try to create the combined file by yourself: cat privkey.pem cert.pem > combined.pem
- Move the 2 config files in place again, and if the error still occurs, it might be related to permission issues. Can you try to copy combined.pem and fullchain.pem from letsencrypt directory somewhere to lighttpd directory, then chown www-data:www-data combined.pem fullchain.pem and adjust the path to those within /etc/lighttpd/conf-enabled/letsencrypt.conf? But this should not be a long term state, if working, for security reasons.
- I will investigate myself this evening: https://github.com/Fourdee/DietPi/issues/1544

€: Okay permissions are no issue: Even with whole /etc/letsencrypt 700 root:root, lighttpd can successfully use combined.pem + fullchain.pem. This is good news!
Post Reply