With Ubuntu 20.04 it works by installing snap as follows:
sudo apt update
sudo apt install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
sudo certbot renew --dry-run
The file10-cgi.conf10-ssl.conf has to say:
# /usr/share/doc/lighttpd/ssl.txt
server.modules += ( "mod_openssl" )
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/mydomain.org/fullchain.pem"
ssl.privkey = "/etc/letsencrypt/live/mydomain.org/privkey.pem"
}
$HTTP["scheme"] == "http" {
# This should be always true for insecure incomming connections:
$HTTP["host"] =~ ".*" {
# redirect to https, port 443:
url.redirect = (".*" => "https://%0$0")
}
}
Need to enable ssl using:
/usr/sbin/lighty-enable-mod
You need to stop and start lighty and/or force a reload as per following tricks:
/etc/init.d/lighttpd stop
/etc/init.d/lighttpd start
/etc/init.d/lighttpd force-reload
ps -ef | grep lighttpd
Renewing
I thought that the certificate would auto-renew, but that does not happen. Probably something stupid I have not worked out yet. Here's a manual way to sort it out. Need to stop lighttpd first.
certbot --webroot renew/etc/init.d/lighttpd stopcertbot renew/etc/init.d/lighttpd start
Looks like I need to put this into the crontab file. The following command should try to renew the certificate at midnight every day.
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && /etc/init.d/lighttpd start 0 0 * * * certbot --webroot renew
3 months later, the above didn't work. The webroot thing which looked neater because it is supposed to allow the certificate to be renewed without stopping lighty (hence I went for that option) seems to have not worked, so now I am doing it as shown below, which is what I had in the first line above, duh.
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && /etc/init.d/lighttpd start
It needs to be added to the crontab file (e.g. with crontab -e) and crontab then needs to be restarted with:
crontab crontab
crontab -l
The command will run at midnight every day, stop lighty and try to renew the certificate but it will only be renewed if it has expired. Then lighty is restarted with the old or new certificate. That is the plan. Welcome back in 3 months. This is similar to the approach below, but is a tiny bit simpler because we do not need to use cat to make the pemfile. I have no idea what this stuff is doing - evidently I am too much of a cryptographic numpty. However, after a few more months, I can confirm that this does work!!
With Ubuntu 16.04 22.04 the snap daemon does not work on openvz (and neither does anything else above) so you need to install certbot as follows:
sudo apt-get install certbot
sudo certbot certonly --webroot -w /var/www/html -d mydomain.org -d www.mydomain.org
chown -R :www-data /etc/letsencrypt
chmod -R g+x /etc/letsencrypt/live
Join the certificate to the end of the private key.
sudo cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem
At this point I think you need to check that the .pem files in /etc/letsencrypt/archive/mydomain.org/ are also chmod'ed to 755 so that they are group executable. The symbolic links are OK, but not the files which the links link to.
Then vi /etc/lighttpd/lighttpd.conf and add the following at the end.
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/mydomain.org/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem"
}
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
No other changes to lighttpd are needed, i.e. no need to change the 10-ssl.conf or enable ssl (complete blind alley trying all that). Just restart it:
sudo systemctl restart lighttpd
Looks like after 90 days the certificate has to be regenerated by hand and rejoined, etc.
Current plan is to see if crontab can do this for us as in the previous example. Added the following to the crontab file:
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem && /etc/init.d/lighttpd start
0 0 * * * certbot --webroot renew && cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pemEvery day at midnight it should stop lighttd, try to renew the certificate (it only renews if needed) and it will copy the private key to make a new merged one. Then it restarts the server daemon (lighttpd). Even if the certificate does not renew, the above command makes a new merged key every night. Of course, to get all this in motion we need to restart crontab:
crontab crontab
crontab -l
The crontab command above in dark text is tested in the situation where the certificate has expired and does work fine. The webroot stuff (crossed- and greyed-out) doesn't work, so ignore anything to do with that.
Another good point from the forum is that one should not be using 16.04 for anything that needs to be secure. So I upgraded to 22.04 and found that snap does not work for installing certbot so I did it the 16.04 way!!
For reference, the forum comments are here.