Create SSL certs and enable https with Lighttpd

Setup a place to call home for your certificate

# mkdir -p /etc/lighttpd/ssl
# cd /etc/lighttpd/ssl

Here’s where the magic happens… If you want a trusted CA on the internet, you’ll just want to create a certificate signing request, but a self-signed cert will do just fine. I made it good for ~10 years, but standard is probably just 365 days.

# openssl req -new -x509 -keyout server.pem -out server.pem -days 3650 -nodes

Protect your ssl cert and directory.

# chown -R lighttpd:lighttpd /etc/lighttpd/ssl
# chmod 0600 /etc/lighttpd/ssl

Now edit the lighttpd.conf configuration file to enable ssl. Use the public facing interface’s IP address instead of mine, unless yours happens to be 192.168.1.2 too!

$SERVER["socket"] == “192.168.1.2:443″ {
server.document-root = “/var/www/lighttpd”
ssl.engine = “enable”
ssl.pemfile = “/etc/lighttpd/ssl/server.pem”

Restart the server and you should be able to connect via http:// or https://

# /etc/init.d/lighttpd restart

And nmap or netstat will let you know it’s listening on port 443

# nmap -sS -T5 192.168.1.2 | grep 443
# netstat -lpn | grep 443

Posted by admica @ 5 March 2009

4 comments

Tags : 443 , certificates , certs , https , lighttpd , netstat , nmap , ssl

Redirect http to SSL encrypted https for specific domains in lighttpd

Use openssl to see if TLS/SSL is working between Linux and Active Directory

LDAP + Lighttpd :: Easy setup

Make Linux ignore pings without touching the firewall

Download and build proxytunnel in Fedora

Redirect URLs in Lighttpd

Fixing slow or broken NFS mounting issues

Wordpress Automatic Updates broken, asks for Connection Information - fixed!

How to setup lighttpd.conf to rewrite wordpress urls the right way

Like this post? Share it!

4 Comments
Add Comment

Comments

Mar 6, 2009
10:25 pm

#1 timcan :

You can also create requests for official certs with “openssl req -new -nodes -keyout server.key -out server.csr” where server is the name of your server.

Mar 6, 2009
11:10 pm

#2 admica :

Yep… If you’re serving the public or even a company intranet, you probably want to go that route. If you have a trusted CA onsite, I would just use that and save the money (for an intranet server). Because all you’re really after is the browser trust right? It is annoying and misleading when you open a site and get a security warning about an invalid certificate when you use self signed certs.

Sep 18, 2010
11:14 am

#3 Will Power :

You might also want to use a key with your SSL certificate so that it actually encrypts data…

http://sial.org/howto/openssl/self-signed/

Sep 20, 2010
10:00 am

#4 admica :

Run the command I showed and check out the server.pem file it created. You’ll see the key and certificate right there.

$ openssl req -new -x509 -keyout server.pem -out server.pem -days 3650 -nodes
—–BEGIN PRIVATE KEY—–
gibberish blah blah
gibberish blah blah
—–END PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
gibberish blah blah
gibberish blah blah
—–END CERTIFICATE—–

If you’re talking about the passphrase, it’s an extra layer of security, but not necessary for encryption at all.

rootninja

Computer Science, Linux, Technology, and Gaming