Add Let’s Encrypt Certificates to Lighttpd
I wrote a bash script to help add a let's encrypt SSL certificate to a lighttpd web server via the console. Weirdly, they only provide fully automated support for Apache and Nginx as of now (but anyhow, I like to do it my way).I highly recommend doing so not only because their certificates are free, but also because they help a lot reducing the usual manual burden to install an SSL certificate on an existing web site.
''
#!/bin/bash
# Install an SSL certificate to a server, the easy way with Let's Encrypt.org
# Note: add "certbot renew" to your crontab so it runs once a day (yes, this is the recommended period!)
skipinstall=
if [[ "$1" = "--skip-install" ]]; then
skipinstall=y
shift
fi
if [[ "$#" != 2 ]]; then
echo "Usage: $(basename $0) [--skip-install] fqdn documentroot"
exit
fi
SRV="$1" # eg. my.website.com
DOCROOT="$2" # eg. /var/www/html
set -x
set -e
if [[ ! "$skipinstall" ]]; then
apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot
fi
certbot certonly --webroot -w $DOCROOT -d $SRV
cd /etc/letsencrypt/live/$SRV/
cat privkey.pem cert.pem > ssl.pem
cd /etc/ssl/certs/
openssl dhparam -dsaparam -out dhparam.pem 4096
cd /etc/lighttpd
grep -q -v /lighttpd.ssl.conf lighttpd.conf && echo 'include "lighttpd.ssl.conf"' >> lighttpd.conf
cat << EOF > lighttpd.ssl.conf
# Certificate by letsencrypt.org generated on $(date)
\$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/$SRV/ssl.pem"
ssl.ca-file = "/etc/letsencrypt/live/$SRV/fullchain.pem"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
# "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
EOF
''
Note above, that you can enable HTST (Strict-Transport-Security), i.e. automatic forced redirection of http links to https.
I did not enable it by default because it is particularly sticky: as soon as the option is there, it tells web browsers to enforce the HTTPS protocol to serve your page content... even when it is specified as HTTP. In some case it may be quite annoying to remove the rule (you probably will have also to purge the history regarding the website, else you may fall in the trap again).
Of course it is meant to be this way: once you go HTTPS, better stay HTTPS: it is much better both for you and for your visitors.
No comments:
Post a Comment