With Ubuntu 20.04 it works by installing snap as follows:
sudo apt update
sudo apt install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
sudo certbot renew --dry-run
The file10-cgi.conf10-ssl.conf has to say:
# /usr/share/doc/lighttpd/ssl.txt
server.modules += ( "mod_openssl" )
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/mydomain.org/fullchain.pem"
ssl.privkey = "/etc/letsencrypt/live/mydomain.org/privkey.pem"
}
$HTTP["scheme"] == "http" {
# This should be always true for insecure incomming connections:
$HTTP["host"] =~ ".*" {
# redirect to https, port 443:
url.redirect = (".*" => "https://%0$0")
}
}
Need to enable ssl using:
/usr/sbin/lighty-enable-mod
You need to stop and start lighty and/or force a reload as per following tricks:
/etc/init.d/lighttpd stop
/etc/init.d/lighttpd start
/etc/init.d/lighttpd force-reload
ps -ef | grep lighttpd
Renewing
I thought that the certificate would auto-renew, but that does not happen. Probably something stupid I have not worked out yet. Here's a manual way to sort it out. Need to stop lighttpd first.
certbot --webroot renew/etc/init.d/lighttpd stopcertbot renew/etc/init.d/lighttpd start
Looks like I need to put this into the crontab file. The following command should try to renew the certificate at midnight every day.
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && /etc/init.d/lighttpd start 0 0 * * * certbot --webroot renew
3 months later, the above didn't work. The webroot thing which looked neater because it is supposed to allow the certificate to be renewed without stopping lighty (hence I went for that option) seems to have not worked, so now I am doing it as shown below, which is what I had in the first line above, duh.
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && /etc/init.d/lighttpd start
It needs to be added to the crontab file (e.g. with crontab -e) and crontab then needs to be restarted with:
crontab crontab
crontab -l
The command will run at midnight every day, stop lighty and try to renew the certificate but it will only be renewed if it has expired. Then lighty is restarted with the old or new certificate. That is the plan. Welcome back in 3 months. This is similar to approach below, but is a tiny bit simpler because we do not need to use cat to make the pemfile. I have no idea what this stuff is doing - evidently I am too much of a cryptographic numpty.
With Ubuntu 16.04 22.04 the snap daemon does not work on openvz (and neither does anything else above) so you need to install certbot as follows:
sudo apt-get install certbot
sudo certbot certonly --webroot -w /var/www/html -d mydomain.org -d www.mydomain.org
chown -R :www-data /etc/letsencrypt
chmod -R g+x /etc/letsencrypt/live
Join the certificate to the end of the private key.
sudo cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem
At this point I think you need to check that the .pem files in /etc/letsencrypt/archive/mydomain.org/ are also chmod'ed to 755 so that they are group executable. The symbolic links are OK, but not the files which the links link to.
Then vi /etc/lighttpd/lighttpd.conf and add the following at the end.
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/mydomain.org/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem"
}
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
No other changes to lighttpd are needed, i.e. no need to change the 10-ssl.conf or enable ssl (complete blind alley trying all that). Just restart it:
sudo systemctl restart lighttpd
Looks like after 90 days the certificate has to be regenerated by hand and rejoined, etc.
Current plan is to see if crontab can do this for us as in the previous example. Added the following to the crontab file:
0 0 * * * /etc/init.d/lighttpd stop && certbot renew && cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem && /etc/init.d/lighttpd start
0 0 * * * certbot --webroot renew && cat /etc/letsencrypt/live/mydomain.org/privkey.pem /etc/letsencrypt/live/mydomain.org/cert.pem > /etc/letsencrypt/live/mydomain.org/lighttpd_merged.pem
Every day at midnight it should stop lighttd, try to renew the certificate (it only renews if needed) and copy the private key to make a new merged one and then restart the server daemon (lighttpd). Of course, need to restart crontab:
crontab crontab
crontab -l
Full report to follow.
Advice from the lighttpd forum suggests that saying --webroot in the certificate renewal command removes the need to stop lighttpd first. Hence all the old stuff is crossed out above (note that the crossed-out grey stuff may be the only thing that works here as the new stuff is not tested in the situation where the certificate has expired and there are some webroot options that I have not got on top of yet). Not abso sure if any of this will work - we will see in a few months (such is the pace of life here).
Another good point from the forum is that one should not be using 16.04 for anything that needs to be secure. So I upgraded to 22.04 and found that snap does not work for installing certbot so I did it the 16.04 way!!
For reference, the forum comments are here.