March 16, 2014 · cacert debian domain hacks https lighttpd linux newbie raspberrypi raspi rpi security server ssl tricks

Lighttpd SSL - HTTPS config and install with CAcert as CA

SSL is cryptographic protocol, which provides secure communications on the Internet for email, web etc.

https

An SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information that is sent to the server using Secure Sockets Layer (SSL) technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

SSL is good if you run e-commerce site or accept payments via CC. It is a good choice to use SSL for user login or registration pages, etc.

If you want to set up SSL on your website, all you need to have is:

  • Lighttpd webserver with SSL support (in fact, any webserver would do, however this tutorial shows how to configure SSL with Lighttpd, simply because I'm using it on my server)
  • Dedicated IP assigned to your domain
  • SSL certificate from CA (we'll be using free service from www.CAcert.org)
  • Domain name, i.e. the one you're most probably using for your webserver (in our example it will be YOUR_DOMAIN_NAME - remember to modify it to fit your domain name)

Assuming you already have Lighttpd webserver up and running, let's move to creating certificates for our website.

First of all, we need to create a directory for the certificates. Log in as root with

$ sudo su -

or

$ su -

and type in:

mkdir /etc/lighttpd/ssl/ && cd /etc/lighttpd/ssl/

Create an RSA key (private key file):

openssl genrsa -des3 -out YOUR_DOMAIN_NAME.key 3072

You will be asked to

Enter pass phrase for YOUR_DOMAIN_NAME.key:

Choose one you will remember as you will need it every time you restart your web server. If you don't want to use a password while starting at port 443, you can remove it with:

openssl rsa -in YOUR_DOMAIN_NAME.key -out no.pwd.YOUR_DOMAIN_NAME.key

Now, we'll generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA). We will get it free at www.CAcert.org.

openssl req -new -key YOUR_DOMAIN_NAME.key -out YOUR_DOMAIN_NAME.csr

Here you'll need to register an account at CAcert.org to be able to sign your request. Head to CAcert.org registration page to create an account. Once you've set up an account, head to Domains -> New on the right hand side menu. Provide your domain name in the box and click on:

I own or am authorised to control this domain

You will be asked to choose an authority email address for your domain (you might need to create an alias; this can be done at your domain name provider website), you will get en email to verify that you own the domain name.

Once you've verified the domain, head to Server Certificates -> New (on right hand side menu again). Copy the contents of your YOUR_DOMAIN_NAME.csr file:

cat YOUR_DOMAIN_NAME.csr 
-----BEGIN CERTIFICATE REQUEST----- MIID0jCCAjoCAQAwgYwxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApMYW5jYXNoaXJl 
.......................... 
Rw563zwv6OL4qy7d20fCgmLGpENqROkTkmNSv4QSLns0KidpmNmckpGwn+rSedbN 
nKhpwUcemUsHZ0nBTFg8dF8PWN+SJw== 
-----END CERTIFICATE REQUEST-----

and paste your YOUR_DOMAIN_NAME.csr file contents into text field. Accept the CAcert Community Agreement to proceed and Submit.

Few second later you will see your Server Certificate on the screen and get an email confirming its being generated. It will look like this:

-----BEGIN CERTIFICATE----- 
MIIFhTCCA22gAwIBAgIDDqsKMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv 
.......................
/vU7aZ80jA5sViimpHMO1mBs6OLmCABEbujcs+ 
J8qoXCcTzX1jugs5nToAzxGvhjPieE9EPw== 
-----END CERTIFICATE-----

Save it as YOUR_DOMAIN_NAME.crt.

Now, create pem file that contains all of private keys (RSA and DSA):

cat YOUR_DOMAIN_NAME.key YOUR_DOMAIN_NAME.crt > YOUR_DOMAIN_NAME.pem 
chown root:root /etc/lighttpd/ssl/YOUR_DOMAIN_NAME.pem
chmod 0600 YOUR_DOMAIN_NAME.pem

It's time now to edit Lighttpd config file. Open it with your favourite text editor:

vim /etc/lighttpd/lighttpd.conf

and add these lines:

# SSL Server settings 

$SERVER['socket'] == ':443' { 
ssl.engine = 'enable' 
ssl.pemfile = '/etc/lighttpd/ssl/YOUR_DOMAIN_NAME.pem' 
ssl.ca-file = '/etc/lighttpd/ssl/YOUR_DOMAIN_NAME.crt' 
server.name = 'YOUR_DOMAIN_NAME' 
server.document-root = '/change/to/https/root/dir/' 
ssl.use-sslv2 = 'disable' 
ssl.use-sslv3 = 'disable' 
ssl.use-compression = 'disable' 
ssl.honor-cipher-order = 'enable' 
ssl.cipher-list = 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA' 
server.errorlog = '/var/log/lighttpd/serror.log' 
accesslog.filename = '/var/log/lighttpd/saccess.log' }

Note: On line #7, change the path to your desired directory containing HTTPS files.

Save the file

^[:wq (ESCAPE :wq)

and check the config file syntax in case you made any mistakes:

sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf

You should get

Syntax OK

to confirm there are no errors. Now, we're ready to restart our server:

sudo /etc/init.d/lighttpd restart

If you've decided to add SSL layer to your main website, as I've done with mine, you can test it by changing to HTTPS in front of your website address in a web browser:

https://blog.onetwentyseven001.com/- no SSL layer

https://blog.onetwentyseven001.com/- SSL layer on

You will most probably get an SSL error message, but don't worry, add the certificate to your browser trusted list and surf securely!

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket

Contact