{"id":6026,"date":"2024-05-03T07:14:53","date_gmt":"2024-05-03T05:14:53","guid":{"rendered":"https:\/\/shakti.tattva.se\/?p=6026"},"modified":"2024-05-03T16:26:53","modified_gmt":"2024-05-03T14:26:53","slug":"lets-encrypt-renewal-for-lighttpd","status":"publish","type":"post","link":"https:\/\/shakti.tattva.se\/index.php\/lets-encrypt-renewal-for-lighttpd\/","title":{"rendered":"Let&#8217;s Encrypt renewal for Lighttpd"},"content":{"rendered":"<p>From: https:\/\/github.com\/galeone\/letsencrypt-lighttpd<\/p>\n<p dir=\"auto\">This script automatize the renewal process for certificates issued by Let&#8217;s Encrypt.<\/p>\n<div class=\"markdown-heading\" dir=\"auto\">\n<h1 class=\"heading-element\" dir=\"auto\" tabindex=\"-1\">Setup Let&#8217;s Encrypt on Lighttpd (for the first time)<\/h1>\n<p><a id=\"user-content-setup-lets-encrypt-on-lighttpd-for-the-first-time\" class=\"anchor\" href=\"https:\/\/github.com\/galeone\/letsencrypt-lighttpd#setup-lets-encrypt-on-lighttpd-for-the-first-time\" aria-label=\"Permalink: Setup Let's Encrypt on Lighttpd (for the first time)\"><\/a><\/div>\n<p dir=\"auto\">Long story short, run as root:<\/p>\n<div class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\">\n<pre>certbot certonly --manual<\/pre>\n<div class=\"zeroclipboard-container\"><\/div>\n<\/div>\n<p dir=\"auto\">Follow the steps required for every domain (and subdomain) and then for every domain do:<\/p>\n<div class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\">\n<pre><span class=\"pl-c1\">cd<\/span> \/etc\/letsencrypt\/live\/yourdomain\r\ncat privkey.pem cert.pem <span class=\"pl-k\">&gt;<\/span> ssl.pem<\/pre>\n<div class=\"zeroclipboard-container\"><\/div>\n<\/div>\n<p dir=\"auto\">My lighttpd configuration follows the following convention:<\/p>\n<blockquote>\n<p dir=\"auto\">put every certificate in \/etc\/lighttpd using the domainname.pem syntax to distinguish them<\/p>\n<\/blockquote>\n<p dir=\"auto\">Every virtual hosts have its own folder in my home.<\/p>\n<p dir=\"auto\">Therefore, for every virtual host (and for every certificate) my lighttpd.conf looks like<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\" lang=\"conf\"><code>    $SERVER[\"socket\"] == \":443\" {\r\n        protocol     = \"https:\/\/\"\r\n        ssl.engine   = \"enable\"\r\n\r\n        ssl.ca-file = \"\/etc\/lighttpd\/fullchain.pem\"\r\n        ssl.pemfile = \"\/etc\/lighttpd\/www.nerdz.eu.pem\"\r\n\t\r\n\tsetenv.add-environment = (\r\n        \"HTTPS\" =&gt; \"on\"\r\n        )\r\n        setenv.add-response-header  = (\r\n        \"Strict-Transport-Security\" =&gt; \"max-age=15768000;\"\r\n        )\r\n        #\r\n        # Mitigate BEAST attack:\r\n        #\r\n        # A stricter base cipher suite. For details see:\r\n        # http:\/\/blog.ivanristic.com\/2011\/10\/mitigating-the-beast-attack-on-tls.html\r\n        #\r\n        ssl.cipher-list = \"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256\"\r\n\r\n        #\r\n        # Make the server prefer the order of the server side cipher suite instead of the client suite.\r\n        # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).\r\n        # This option is enabled by default, but only used if ssl.cipher-list is set.\r\n        #\r\n        ssl.honor-cipher-order = \"enable\"\r\n        #\r\n        # Mitigate CVE-2009-3555 by disabling client triggered renegotation\r\n        # This is enabled by default.\r\n        #\r\n        ssl.disable-client-renegotiation = \"enable\"\r\n\tssl.ec-curve              = \"secp384r1\"\r\n\tssl.use-compression     = \"disable\"\r\n        #\r\n        # Disable SSLv2 because is insecure\r\n        ssl.use-sslv2= \"disable\"\r\n        #\r\n        # Disable SSLv3 (can break compatibility with some old browser) \/cares\r\n        ssl.use-sslv3 = \"disable\"\r\n    }\r\n<\/code><\/pre>\n<div class=\"zeroclipboard-container\"><\/div>\n<\/div>\n<p dir=\"auto\">Where <code>www.nerdz.eu<\/code> is the domain. There&#8217;s another configuration for the document root, that differs from the one above for the line:<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\" lang=\"conf\"><code>ssl.pemfile = \"\/etc\/lighttpd\/nerdz.eu.pem\"\r\n<\/code><\/pre>\n<div class=\"zeroclipboard-container\"><\/div>\n<\/div>\n<div class=\"markdown-heading\" dir=\"auto\">\n<h1 class=\"heading-element\" dir=\"auto\" tabindex=\"-1\">Monthly renew, using webroot<\/h1>\n<p><a id=\"user-content-monthly-renew-using-webroot\" class=\"anchor\" href=\"https:\/\/github.com\/galeone\/letsencrypt-lighttpd#monthly-renew-using-webroot\" aria-label=\"Permalink: Monthly renew, using webroot\"><\/a><\/div>\n<p dir=\"auto\">You have to change the first lines of <code>renew.sh<\/code> according to your configuration.<\/p>\n<p dir=\"auto\">You have to change the path of this script in the <code>letsencrypt-lighttpd.service<\/code> file according to your configuration.<\/p>\n<p dir=\"auto\">After that, you can activate the montly renew:<\/p>\n<div class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\">\n<pre>cp letsencrypt-lighttpd.<span class=\"pl-k\">*<\/span> \/etc\/systemd\/system\/\r\nsystemctl <span class=\"pl-c1\">enable<\/span> letsencrypt-lighttpd.timer<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>From: https:\/\/github.com\/galeone\/letsencrypt-lighttpd This script automatize the renewal process for certificates issued by Let&#8217;s Encrypt. Setup Let&#8217;s Encrypt on Lighttpd (for the first time) Long story short, run as root: certbot certonly &#8211;manual Follow the steps required for every domain (and subdomain) and then for every domain do: cd \/etc\/letsencrypt\/live\/yourdomain cat privkey.pem cert.pem &gt; ssl.pem My&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wprm-recipe-roundup-name":"","wprm-recipe-roundup-description":"","_kad_post_transparent":"default","_kad_post_title":"default","_kad_post_layout":"default","_kad_post_sidebar_id":"","_kad_post_content_style":"default","_kad_post_vertical_padding":"default","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[240],"tags":[],"class_list":["post-6026","post","type-post","status-publish","format-standard","hentry","category-webserver"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/posts\/6026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/comments?post=6026"}],"version-history":[{"count":1,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/posts\/6026\/revisions"}],"predecessor-version":[{"id":6027,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/posts\/6026\/revisions\/6027"}],"wp:attachment":[{"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/media?parent=6026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/categories?post=6026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shakti.tattva.se\/index.php\/wp-json\/wp\/v2\/tags?post=6026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}