Red bulbs aside
lighttpd-1.4.55 with py37-certbot-1.5.0,1 on FreeBSD 12.1
Certbot is a free, open source software tool for automatically using Let's Encrypt certificates to enable HTTPS. It is provided by the EFF and Certbot is one of the possible ACME-client. We will install it on a FreeBSD OS, with Lighttpd (pron. Lighty).
As the web is full of tutorial for the basic installation of Lighttpd on FreeBSD. We start here after a successful basic installation and will had Certbot and SSL.
Certbot is available in the port tree, with different flavours but, to date, no specific one for lighttpd. To install it :
$ cd /usr/port/security/py-certbot
# make install clean
We will use the webroot challenge to prove Certbot that we own the domain name (mydomain.com) and the server. In this case, certbot will create a file in a subfolder such as https://mydomain.com/.well-known/acme-challenge/QT6z77PcKbgUFL6P8wn5ZxL8MR0e2ABDUQ9VBtupeDQ.
To pass the challenge, Lighttpd must serve folders starting with a dot (ok, that is the default config) and uppercase letters in the URL.
Be sure to comment the following line in your Lighttpd.conf (usually found in /usr/local/etc/lighttpd.conf) :
in lighttpd.conf
#server.force-lowercase-filenames = "enable"
$ certbot certonly --webroot -w /path_to_you_httpdocs_root -d mydomain.com
$ certbot certonly
It will launch the interactive menu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mydomain.com www.mydomain.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
http-01 challenge for www.mydomain.com
Input the webroot for mydomain.com: (Enter 'c' to cancel): /path_to_you_httpdocs_root/
Select the webroot for www.mydomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /path_to_you_httpdocs_root/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
When finished, certificates are usually available in /usr/local/etc/letsencrypt/live/mydomain.com
Now you need to combine the certificate and private key in one file.
$ cat /usr/local/etc/letsencrypt/live/mydomain.com/cert.pem /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem > /usr/local/etc/letsencrypt/live/mydomain.com/web.pem
Here is a basic SSL configuration.
in lighttpd.conf
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/usr/local/etc/letsencrypt/live/mydomain.com/web.pem" #Combined_certificate
ssl.ca-file = "/usr/local/etc/letsencrypt/live/mydomain.com/chain.pem" # Root CA
We will see in a next article how to make the SSL configuration working with multiple hosts and with safer parameters.
You can configure Lighttpd to start at boot with :
# echo "lighttpd_enable="YES" >> /etc/rc.conf
Start Lighttpd with :
# service lighttpd start
And do not forget to set up a cron task for your certificate renewal.
You can add (with crontab -e) in your crontab such line :
crontab
0 0 1,10,20 * * certbot renew && cat /usr/local/etc/letsencrypt/live/mydomain.com/cert.pem /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem > /usr/local/etc/letsencrypt/live/mydomain.com/web.pem
Renewal will be tested 3 times per month.
Should you have any comment on this page, get in touch !