[OUTDATED!!][Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Guides and tutorials for various stuff. Posted by DietPi users.
Post Reply
aar0nism

[OUTDATED!!][Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by aar0nism »

OUTDATED: This tutorial is outdated. Lighttpd is now natively supported by DietPi-LetsEncrypt, no manual adjustments are needed anymore. Nevertheless many thanks @aar0nism for writing this, which helped users much until now :).
Edit by: @MichaIng


DISCLAIMER: Most all of this is just copied from other websites and I am just compiling the needed steps for this particular setup.

This will work even if you are just using lighttpd and not owncloud by just doing the steps for lighttpd and lets encrypt. I just happened to want to use it with owncloud.
Also this will work to setup SSL on lighttpd even without Lets Encrypt just follow the same steps for lighttpd and point at the cert files you get from your CA.

This tutorial assumes you already installed owncloud(or just lighttpd) through the dietpi-software installer script(if you have not then you can run it now and install it).

Pre-Reqs
If you are using a home router like most people you will need to google how to forward ports on your router. You will need to forward port 80 and 443 to your machine running lighttpd.
https://encrypted.google.com/search?hl= ... 20model%3E


LetsEncrypt
Since the dietpi-letsencrypt only supports Apache, it will not work for our purposes as of the time of writing this. You will need to get the standalone client from the certbot website like below:

Code: Select all

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
"certbot-auto accepts the same flags as certbot"

You will need to run this using the webroot plugin since you are using lighttpd.
Run this command to generate the cert:

Code: Select all

./path/to/certbot-auto certonly --webroot -w /var/www/example -d www.example.com 
Replace /var/www/example with the root directory of lighttpd. Replace http://www.example.com with your domain. NOTE: You can specify multiple -w and -d.

Now that the cert is generated we need to combine the key and the cert.

Code: Select all

cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem
lighttpd
Next we need to tell lighttpd where to find the cert and enable TLS.

Code: Select all

touch /etc/lighttpd/conf-enabled/letsencrypt.conf
nano /etc/lightttpd/conf-enabled/letsencrypt.conf
Paste the following in the above file:

Code: Select all

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/www.example.com/combined.pem"
        ssl.ca-file =  "/etc/letsencrypt/live/www.example.com/fullchain.pem"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
}
This will also disable SSL and you can set whatever cipher list you want.

Next reload the lighttpd config.

Code: Select all

/etc/init.d/lighttpd force-reload
Automate renewal of Cert
If you do not have a cron/systemd script to renew the certificate it will expire in 90 days. If we dont renew the cert will expire and we dont want this to happen since it will render our owncloud unusable on https.
I am just using an example script I found on one of my sources at the bottom, I am sure there are a bunch of examples on the net.
First test if auto renewal will work:

Code: Select all

./path/to/certbot-auto renew --dry-run
If this works then you should be OK to setup a script.

Code: Select all

touch /etc/cron.weekly/letsencrypt
chmod +x /etc/cron.weekly/letsencrypt
nano /etc/cron.weekly/letsencrypt
Paste the following into the file:

Code: Select all

# Renew cert
# put the path to certbot-auto here
#letsencrypt renew
/path/to/certbot-auto renew

# Rebuild the cert
cd /etc/letsencrypt/live/www.example.com/
cat privkey.pem cert.pem > combined.pem

# Reload
/etc/init.d/lighttpd force-reload
This sets the script to run on a weekly basis. I believe Lets Encrypt suggests it to run twice a day so that is completely possible by a custom cron job or you can do once a day by changing weekly to daily.


Setup HTTP to HTTPS Redirect
Now that we have TLS setup we should redirect all requests on port 80 to 443 so that we force the use of https.
This can be accomplished with a simple file you put into /etc/lighttpd/conf-enabled.

Code: Select all

nano /etc/lighttpd/conf-enabled/redirect.conf
Paste this into the file:

Code: Select all

$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}
Next reload the lighttpd config for the change to take place and test by going to http://www.example.com and see if it redirects to https://www.example.com

Code: Select all

/etc/init.d/lighttpd force-reload
OwnCloud
If you are not using OwnCloud you can skip this step.
If you are the admin on the owncloud server you can usually just go to the owncloud directory on your server(http://example.com/owncloud) and it will ask if you want to add your new domain as a trusted domain and in a perfect world you can click the button to add it.
If this doesnt work you can do it the manual way like so(replace path to owncloud directory with yours):

Code: Select all

nano /var/www/owncloud/config/config.php
Find the trusted_domains parameter and add 'www.example.com' in the list and dont forget the comma.

Code: Select all

'trusted_domains' =>
  array (
    0 => '127.0.0.1',
    1 => 'www.example.com',
  ),
That should be it. If you have any suggestions or find any typos let me know.

Sources(I am not affiliated with any sites listed):
https://blog.dantup.com/2016/03/install ... ssie-lite/
https://redmine.lighttpd.net/projects/l ... oSimpleSSL
https://certbot.eff.org/#pip-other
https://certbot.eff.org/#debianjessie-other
https://redmine.lighttpd.net/projects/1 ... ttpToHttps
Last edited by aar0nism on Sun Nov 20, 2016 8:58 pm, edited 2 times in total.
User avatar
Fourdee
Site Admin
Posts: 2788
Joined: Tue Feb 06, 2007 1:36 pm

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by Fourdee »

Great post, thanks for sharing.

I'll have to revisit Letsencrypt and lighttpd using your guide. Hopefully we can remove that apache2 lock :) https://github.com/Fourdee/DietPi/issues/479
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal or become a DietPi patron.
aar0nism

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by aar0nism »

Thanks Fourdee, I hope it helps someone.

I have updated the post to include a simple redirect from http(80) to https(443).
User avatar
johnvick
Legend
Posts: 693
Joined: Wed Jun 08, 2016 11:53 am
Location: New Zealand

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by johnvick »

Great post - I am using the http -> https section - wish I'd known this earlier.
User avatar
Fourdee
Site Admin
Posts: 2788
Joined: Tue Feb 06, 2007 1:36 pm

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by Fourdee »

Lighttpd support for letsencrypt, based on aar0nism's excellent post is now in testing stage.
https://github.com/Fourdee/DietPi/issue ... -246379508

It works for me, but could do with additional testing from our users:
https://github.com/Fourdee/DietPi/issue ... -246384423
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal or become a DietPi patron.
chinicetsai
Posts: 6
Joined: Mon Jul 25, 2016 10:22 am

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by chinicetsai »

Hi Expert,
Have Tutorial for Setup LetsEncrypt/SSL and NextCloud/WordPress/Webmin on same Nginx?


I wish that can support these service as below in same nginx server.

https://mydomain:10000 <==webmin or https://mydomain/webmin
https://mydoman/nextcloud/
https://mydoman/wordpress/


Thanks.
aar0nism

Re: [Tutorial]Setup LetsEncrypt/SSL on lighttpd and OwnCloud

Post by aar0nism »

Finally time to renew. I fixed the update script in case anyone who used this needs it. I forgot to specify the full path to certbot-auto since it is not installed to bin folder or in the path. Although the command works great when firewall and nat rules are setup :-)
Post Reply