The Problem

While it is very simple to install letsencrypt certificates on an apache webserver, it might be tricky on a lighttpd server. There are various tutorials on the internet, but I found no step by step tutorial. So here is my attempt to create one.

The Solution

I assume that you know what a webserver is, what it does and why it is a good idea to have SSL secured connections. This tutorial assumes that

you have a server where you have root access via SSH (like a hosted V-server)
it runs the Ubuntu (or another Deian derivate)
you use lighttpd as webserver.

The tutorial assumes that the domain name is "support.contoso.com".

Step 1: Install git

Git is a free and open source distributed version control system, which is usually used by software developers. However - if you want to use lighttpd then you have to install it.

gue@support:~$ sudo apt-get install git
[sudo] password for gue:
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  git-man liberror-perl
Vorgeschlagene Pakete:
  git-daemon-run git-daemon-sysvinit git-doc git-el git-email git-gui gitk
  gitweb git-arch git-bzr git-cvs git-mediawiki git-svn
Die folgenden NEUEN Pakete werden installiert:
  git git-man liberror-perl
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen 3.421 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 21,9 MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n]
Holen: 1 http://archive.ubuntu.com/ubuntu/ trusty/main liberror-perl all 0.17-1.1 [21,1 kB]
Holen: 2 http://archive.ubuntu.com/ubuntu/ trusty-updates/main git-man all 1:1.9.1-1ubuntu0.2 [699 kB]
Holen: 3 http://archive.ubuntu.com/ubuntu/ trusty-updates/main git amd64 1:1.9.1-1ubuntu0.2 [2.701 kB]
Es wurden 3.421 kB in 0 s geholt (10,5 MB/s).
Vormals nicht ausgewähltes Paket liberror-perl wird gewählt.
(Lese Datenbank ... 130920 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../liberror-perl_0.17-1.1_all.deb ...
Entpacken von liberror-perl (0.17-1.1) ...
Vormals nicht ausgewähltes Paket git-man wird gewählt.
Vorbereitung zum Entpacken von .../git-man_1%3a1.9.1-1ubuntu0.2_all.deb ...
Entpacken von git-man (1:1.9.1-1ubuntu0.2) ...
Vormals nicht ausgewähltes Paket git wird gewählt.
Vorbereitung zum Entpacken von .../git_1%3a1.9.1-1ubuntu0.2_amd64.deb ...
Entpacken von git (1:1.9.1-1ubuntu0.2) ...
Trigger für man-db (2.6.7.1-1ubuntu1) werden verarbeitet ...
liberror-perl (0.17-1.1) wird eingerichtet ...
git-man (1:1.9.1-1ubuntu0.2) wird eingerichtet ...
git (1:1.9.1-1ubuntu0.2) wird eingerichtet ...

You may ask why this step is important. Letsencrypt is (not necessarily) provided as a package that can be installed by your package manager. Instead of building a package for every OS the developers decided to go with git and to provide the whole program (as sourcecode) via git.

Step 2: Fetch the latest version of letsencrypt

So lets utilize git and fetch the latest and greatest version of it into the home folder:

gue@support:~$ git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
Nach »letsencrypt« wird geklont
remote: Counting objects: 32958, done.
remote: Total 32958 (delta 0), reused 0 (delta 0), pack-reused 32957
Objekte werden empfangen: 100% (32958/32958), 8.65 MiB | 4.64 MiB/s, done.
Unterschiede werden aufgelöst: 100% (23374/23374), done.
Verbundenheit wird überprüft ? Fertig.

OK, now we have the letsencrypt client installed on our machine.

Step 3: Stop the webserver

Letsencrypt needs the port 80 on the machine where the certificate should be employed. This can be seen as a kind of verification that this webserver is really yours. However - if the webserver is running then it will use the port (instead of lentsencrypt) - so we have to stop it.

gue@support:~/letsencrypt$ sudo service lighttpd stop
* Stopping web server lighttpd [ OK ]

Step 4: Generate the certificate

Letsencrypt does all the work for you. You just have to tell it what you want. In our case we want just the certificates to be generated. There are three questions which have to be filled out manually (and which are stripped out of the next listing)

gue@support:~/letsencrypt$ ./letsencrypt-auto certonly
Bootstrapping dependencies for Debian-based OSes...
Ign http://webmin.mirror.somersettechsolutions.co.uk sarge InRelease
Holen: 1 http://security.ubuntu.com trusty-security InRelease [65,9 kB]
OK   http://webmin.mirror.somersettechsolutions.co.uk sarge Release.gpg
OK   http://webmin.mirror.somersettechsolutions.co.uk sarge Release
Ign http://archive.ubuntu.com trusty InRelease
OK   http://webmin.mirror.somersettechsolutions.co.uk sarge/contrib amd64 Packages
Ign http://download.webmin.com sarge InRelease
OK   http://webmin.mirror.somersettechsolutions.co.uk sarge/contrib i386 Packages
Holen: 2 http://archive.ubuntu.com trusty-updates InRelease [65,9 kB]
Holen: 3 http://security.ubuntu.com trusty-security/main Sources [109 kB]
.
.
.
.
.
.
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to webmaster@contoso.com.
- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/support.contoso.com/fullchain.pem. Your
   cert will expire on 2016-06-19. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Yeah - we are done, the certificates are generated. But where ? To investigate this we have to be root. So lets login (via sudo -i) and have a look.

gue@support:~/letsencrypt$ sudo su -
root@support:~# cd /etc/letsencrypt/live/support.contoso.com/
root@support:/etc/letsencrypt/live/support.contoso.com# ls -l
insgesamt 0
lrwxrwxrwx 1 root root 47 Mär 21 08:35 cert.pem -> ../../archive/support.contoso.com/cert1.pem
lrwxrwxrwx 1 root root 48 Mär 21 08:35 chain.pem -> ../../archive/support.contoso.com/chain1.pem
lrwxrwxrwx 1 root root 52 Mär 21 08:35 fullchain.pem -> ../../archive/support.contoso.com/fullchain1.pem
lrwxrwxrwx 1 root root 50 Mär 21 08:35 privkey.pem -> ../../archive/support.contoso.com/privkey1.pem
root@support:/etc/letsencrypt/live/support.contoso.com#

The next step is to combine some of the files into one pem file:

root@support:/etc/letsencrypt/live/support.contoso.com# cat privkey.pem cert.pem > ssl.pem

root@support:/etc/letsencrypt/live/support.contoso.com# ls -l
insgesamt 4
lrwxrwxrwx 1 root root   47 Mär 21 08:35 cert.pem -> ../../archive/support.contoso.com/cert1.pem
lrwxrwxrwx 1 root root   48 Mär 21 08:35 chain.pem -> ../../archive/support.contoso.com/chain1.pem
lrwxrwxrwx 1 root root   52 Mär 21 08:35 fullchain.pem -> ../../archive/support.contoso.com/fullchain1.pem
lrwxrwxrwx 1 root root   50 Mär 21 08:35 privkey.pem -> ../../archive/support.contoso.com/privkey1.pem
-rw-r--r-- 1 root root 3522 Mär 21 08:37 ssl.pem
root@support:/etc/letsencrypt/live/support.contoso.com#

The newly created ssl.pem will be picked up by lighttpd afterwards.

Step 5: Generate a new set of Diffie Hellman parameters

In order to prevent the logjam attack we are generating a new set of primes which are needed for the TLS mechanism:

root@support:/etc/letsencrypt/live/support.contoso.com# cd /etc/ssl/certs
root@support:/etc/ssl/certs# openssl dhparam -out dhparam.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.+.............................................................................................................
.
.
.................................................+.............................................+...........................................................++*++*
root@support:/etc/ssl/certs#

Step 6: Configure lighttpd to use the certificates and parameters

Lighttpd has multiple files where the configuration is stored. So lets modify the lighttpd configuration to accept the new certificate and the new DH parameters.

The following snippet is incomplete, but in shows the way to go:

$HTTP["host"] == "support.contoso.com" {

       # Configure SSL
       ssl.engine = "enable"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/support.contoso.com/ssl.pem"
        ssl.ca-file = "/etc/letsencrypt/live/support.contoso.com/fullchain.pem"
        ssl.dh-file = "/etc/ssl/certs/dhparam.pem"

       # support.contoso.com will be redirected to https !
       $HTTP["scheme"] == "http"{
                url.redirect = (".*" => "https://support.contoso.com$0")
       }

       # Other (original) configuration
       # .
       # .

}

It tells the webserver that it should use the previously generated SSL certificate and the Deffie-Hellman parameters. And whenever a user accesses "http://support.contoso.com" he will be redirected to "https://support.contoso.com".

Step 7: Restart the webserver

The final steps are to enable the port 443 on the filrewall (for the https connection) and to restart the webserver.

$sudo ufw allow 443
$sudo service lighttpd start

Thats it.

Free SSL certificate for lighttpd with letsencrypt

Aug 28 2016