LetsEncrypt Since the dietpi-letsencrypt only supports Apache, it will not work for our purposes as of the time of writing this. You will need to get the standalone client from the certbot website like below:
Code: Select all
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
“certbot-auto accepts the same flags as certbot”
You will need to run this using the webroot plugin since you are using lighttpd. Run this command to generate the cert:
Code: Select all
./path/to/certbot-auto certonly --webroot -w /var/www/example -d www.example.com
Replace /var/www/example with the root directory of lighttpd. Replace http://www.example.com with your domain. NOTE: You can specify multiple -w and -d.
Now that the cert is generated we need to combine the key and the cert.
Code: Select all
cd /etc/letsencrypt/live/www.example.com/ cat privkey.pem cert.pem > combined.pem
lighttpd Next we need to tell lighttpd where to find the cert and enable TLS.
Code: Select all
touch /etc/lighttpd/conf-enabled/letsencrypt.conf nano /etc/lightttpd/conf-enabled/letsencrypt.conf
Paste the following in the above file:
Code: Select all
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/www.example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/www.example.com/fullchain.pem"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
This will also disable SSL and you can set whatever cipher list you want.
Next reload the lighttpd config.
Code: Select all
/etc/init.d/lighttpd force-reload
Automate renewal of Cert If you do not have a cron/systemd script to renew the certificate it will expire in 90 days. If we dont renew the cert will expire and we dont want this to happen since it will render our owncloud unusable on https. I am just using an example script I found on one of my sources at the bottom, I am sure there are a bunch of examples on the net. First test if auto renewal will work:
Code: Select all
./path/to/certbot-auto renew --dry-run
If this works then you should be OK to setup a script.
Code: Select all
touch /etc/cron.weekly/letsencrypt chmod +x /etc/cron.weekly/letsencrypt nano /etc/cron.weekly/letsencrypt
Paste the following into the file:
Code: Select all
# Renew cert # put the path to certbot-auto here #letsencrypt renew /path/to/certbot-auto renew
# Rebuild the cert cd /etc/letsencrypt/live/www.example.com/ cat privkey.pem cert.pem > combined.pem
# Reload /etc/init.d/lighttpd force-reload
This sets the script to run on a weekly basis. I believe Lets Encrypt suggests it to run twice a day so that is completely possible by a custom cron job or you can do once a day by changing weekly to daily.
Setup HTTP to HTTPS Redirect Now that we have TLS setup we should redirect all requests on port 80 to 443 so that we force the use of https. This can be accomplished with a simple file you put into /etc/lighttpd/conf-enabled.
Code: Select all
nano /etc/lighttpd/conf-enabled/redirect.conf
Paste this into the file:
Code: Select all
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
Next reload the lighttpd config for the change to take place and test by going to http://www.example.com and see if it redirects to https://www.example.com
Code: Select all
/etc/init.d/lighttpd force-reload
Source: http://dietpi.com/phpbb/viewtopic.php?f=9&t=603&p=2625