Willkommen bei bytebang » The blog about all and nothing » Renewal of a letsencrypt certificate for lighttpd

Renewal of a letsencrypt certificate for lighttpd

Sep 20 2016

The problem

You have detected that your letsencrypt certificate expired, and now you want to renew it. This article shows how to do this on a machine called "support" which runs on Ubuntu 16.04 and lighttpd as webserver.

The Solution

The solution is simple. Just follow the steps below.

1.) Stop lighttpd

The first thing you have to do is to stop lighttpd (or any other service which binds to your webservers port 80).

gue@support:~$ sudo service lighttpd stop
 * Stopping web server lighttpd                                                                                            [ OK ]

2.) Renew the certificate

This is also an easy one. Just call the correct script, and let letsencrypt do it's magic.

gue@support:~$ ./letsencrypt/letsencrypt-auto renew
Upgrading certbot-auto 0.7.0 to 0.8.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run certbot...
  /home/gue/.local/share/letsencrypt/bin/letsencrypt renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.support.acme.com.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.support.acme.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.support.acme.com/fullchain.pem (success)

Cool - our certificate was renewed, and the new certificate is available somewhere under the /etc/letsencrypt/live directory. So lets have a look at them:

gue@support:~$ sudo -i
root@support:~# cd /etc/letsencrypt/live/www.support.acme.com
root@support:/etc/letsencrypt/live/www.support.acme.com# ls -l
insgesamt 12
drwxr-xr-x 2 root root 4096 Jul 20 11:16 ./
drwx------ 3 root root 4096 Mär 21 08:35 ../
lrwxrwxrwx 1 root root   47 Jul 20 11:16 cert.pem -> ../../archive/www.support.acme.com/cert2.pem
lrwxrwxrwx 1 root root   48 Jul 20 11:16 chain.pem -> ../../archive/www.support.acme.com/chain2.pem
lrwxrwxrwx 1 root root   52 Jul 20 11:16 fullchain.pem -> ../../archive/www.support.acme.com/fullchain2.pem
lrwxrwxrwx 1 root root   50 Jul 20 11:16 privkey.pem -> ../../archive/www.support.acme.com/privkey2.pem
-rw-r--r-- 1 root root 3526 Apr 12 09:44 ssl.pem
root@support:~#

Jup - here they are. Every file (except the ssl.pem) file has gotten a new timestamp.Whats wrong with the ssl.pem, why wasn't it upgraded ?

3.) Merge the certificate for lighttpd

Well. If you read my article about how to setup a free ssl certificate for lighttpd with letsencrypt then you could probably remember that lighttps needs a special format for it's certificate - which is excatly the one in the ssl.pem. So the key to success is to recreate the ssl.pem file (or whatever you called it in the lighttpd configuration)

root@support:~# cat privkey.pem cert.pem > ssl.pem
root@support:/etc/letsencrypt/live/www.support.acme.com# ls -l ssl.pem
-rw-r--r-- 1 root root 3526 Jul 20 11:20 ssl.pem
root@support:~# exit
Logged off

Be sure to have write access to the directory because otherwise you will not be able to create the ssl.pem file. In my example I ensured write access by logging in as root (via ) but there are other ways to do this.

4.) Restart lighttpd

The last step is to restart the webserver which was turned off in step 1.

gue@support:~$ sudo service lighttpd start
 * Starting web server lighttpd                                                                                            [ OK ]
gue@support:~$

Finally check the webserver logfiles for any overseen errors and if your web browser complains about the new certificate. Usually this works out of the box perfectly.

That's it, have fun !


Get Social


(c) 2017, by bytebang e.U. - Impressum - Datenschutz / Nutzungsbedingungen
-