Automated Let's Encrypt certificate renewal on Lighttpd



Let's Encrypt is a wonderful initiative providing free short-term certificates to anyone. The EFF kindly provides us with a Certbot, which quickly and easily installs and renews Let's Encrypt certificates. However, it does not support Lighttpd out of the box. Lighttpd wants your private key and domain certificate bundled together in one file, just like it expects the domain certificate and CA certificate in one file. Certbot does not do that. So either you can go script around that, or you can use an alternative - enter GetSSL, a Bash script that not only offers similar functionality, but also sets up your certificates just how Lighttpd likes it.

Setting up GetSSL

GetSSL is a bit less straightforward than Certbot. I will refer you to the GetSSL documentation for the generic setup instructions. Since I set 301 redirects for the www. domain names, I only obtain one certificate for e.g. volatilesystems.org; so I do not set any other domain names (the SANS= configuration setting).

These are the values you need to set for Lighttpd specifically:

  • The bundle that contains both the domain and CA certificate (optional).

    DOMAIN_CHAIN_LOCATION="/etc/lighttpd/ssl/yoursite.com/fullchain.bundle"
    
  • The certificate that bundles both the domain certificate and your private key.

    DOMAIN_KEY_CERT_LOCATION="/etc/lighttpd/ssl/yoursite.com/cert.pem"
    

You can also set the reload command:

RELOAD_CMD=/bin/systemctl restart lighttpd

If your distribution does not use systemd, adapt accordingly. Lighttpd will then be restarted after certificate renewal.

Pointing Lighttpd to the certificates

In Lighttpd's configuration file, you'll add them to your SSL settings as follows. The ca-file setting seems to be optional.

ssl.ca-file                     = "/etc/lighttpd/ssl/yoursite.com/fullchain.bundle"
ssl.pemfile                     = "/etc/lighttpd/ssl/yoursite.com/cert.pem"

Automating renewal

Renewal is as easy as setting a cronjob, e.g. like this:

48 03 * * * /root/scripts/getssl -u -a -q

This will renew all your certificates when necessary, and also update the script itself when an update is available. To spread load on Let's Encrypt servers, it's recommended to set this to a random time.

Further hardening your webserver

With your SSL certificate(s) set up, it might be handy to look a bit further and e.g. limit the ciphers your webserver accepts, set up HSTS, or configure other security settings. If you don't know where to start, this is an excellent tutorial. There are some great websites to test your HTTP response headers - e.g. SecurityHeaders.io, High-Tech Bridge, and the well known SSL Labs. It's highly recommended to run tests on more than one of these sites - some emphasise certain aspects of webserver security, others mostly encryption e.g. The guy behind SecurityHeaders.io also wrote a nice article on setting up HPKP with Let's Encrypt.