Friday, May 18, 2018

Script to add a Let’s Encrypt free certificate to an existing Lighttpd web server

Add Let’s Encrypt Certificates to Lighttpd

I wrote a bash script to help add a let's encrypt SSL certificate to a lighttpd web server via the console. Weirdly, they only provide fully automated support for Apache and Nginx as of now (but anyhow, I like to do it my way).

I highly recommend doing so not only because their certificates are free, but also because they help a lot reducing the usual manual burden to install an SSL certificate on an existing web site.

# Install an SSL certificate to a server, the easy way with Let's
# Note: add "certbot renew" to your crontab so it runs once a day (yes, this is the recommended period!)

if [[ "$1" = "--skip-install" ]]; then

if [[ "$#" != 2 ]]; then
echo "Usage: $(basename $0) [--skip-install] fqdn documentroot"

SRV="$1"      # eg.
DOCROOT="$2"  # eg. /var/www/html

set -x
set -e

if [[ ! "$skipinstall" ]]; then
apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --webroot -w $DOCROOT -d $SRV

cd /etc/letsencrypt/live/$SRV/
cat privkey.pem cert.pem > ssl.pem

cd /etc/ssl/certs/
openssl dhparam -dsaparam -out dhparam.pem 4096

cd /etc/lighttpd
grep -q -v /lighttpd.ssl.conf lighttpd.conf && echo 'include "lighttpd.ssl.conf"' >> lighttpd.conf

cat << EOF > lighttpd.ssl.conf
# Certificate by generated on $(date)
\$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/$SRV/ssl.pem" =  "/etc/letsencrypt/live/$SRV/fullchain.pem"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem" = "secp384r1"
ssl.honor-cipher-order = "enable"
ssl.use-compression = "disable"
setenv.add-response-header = (
# "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

Note above, that you can enable HTST (Strict-Transport-Security), i.e. automatic forced redirection of http links to https.

I did not enable it by default because it is particularly sticky: as soon as the option is there, it tells web browsers to enforce the HTTPS protocol to serve your page content... even when it is specified as HTTP. In some case it may be quite annoying to remove the rule (you probably will have also to purge the history regarding the website, else you may fall in the trap again).

Of course it is meant to be this way: once you go HTTPS, better stay HTTPS: it is much better both for you and for your visitors.