Certbot: [enh] Support for lighttpd

c.f #24

It doesn't look like there's currently an official Augeas lens for lighttpd but, since the configuration file syntax is so simple, perhaps it will be quick to write one.

Can you describe how lighttpd handles virtual hosts?

We actually used lighttpd internally for testing the previous iteration of the Let's Encrypt server, but never on the client side, so we weren't actually reconfiguring it at all.

On virtual hosts, fairly simple there:

# Site 1
$HTTP["host"] =~ "site1\.myserver\.com" {
        server.document-root = "/home/site1/public_html"
        accesslog.filename = "/var/log/lighttpd/site1-access.log"
        server.errorlog = "/var/log/lighttpd/site1-error.log"
}

# Site 2 (not a subsite)
$HTTP["host"] =~ "(www\.)?site2\.com" {
        server.document-root = "/home/site2/public_html"
        accesslog.filename = "/var/log/lighttpd/site2-access.log"
        server.errorlog = "/var/log/lighttpd/site2-error.log"
}

see #200 - that might become a solution until there is specific support code for lighty.

i agree, lighttpd needs to be supported at launch

With the official launch soon, what's the status of this?

Unfortunately, there are only a few people working/donating their time on the project. No one that I am aware of has written a plugin yet for lighttpd (or written a client specifically for lighttpd for that matter) You can probably get pretty good support once #757 gets pulled in.

If #784 (easy) is also addressed, I think that would be the shortest path to the point of renewal (you specify the webroot path, you install the cert yourself, you specify the reload command) Renewal would then be automated.

I imagine there might be some more people to help write a full client once the service goes live, but that is the current state right now.

Upvote!

lighttpd handles vhost almost like apache, on ubuntu it has the same setup like
/etc/lighttpd/site-enabled/domain.com (ln link)
/etc/lighttpd/site-available/domain.com
/etc/lighttpd/lighttpd.conf (global settings)

so you can generate a domain.com-ssl.conf in /etc/lighttpd/site-available/ and link it in /etc/lighttpd/site-enabled/

there is one important thing
the input pem has to be a combined privkey+cert.pem

its simple to make, and put in a program so that it outputs a lighttpd compatible file out of the box
sudo su (login as root)
cd /etc/letsencrypt/live/domain.com
cat privkey.pem cert.pem > ssl.pem

 $SERVER["socket"] == ":443" {

     ssl.engine = "enable"
     ssl.pemfile                 = "/etc/letsencrypt/live/domain.com/ssl.pem"
     ssl.ca-file                 =  "/etc/letsencrypt/live/domain.com/fullchain.pem"
     server.document-root = "/home/web-secure/public_html"
 }

The authentication bit could be done using something like this added to the Lighttpd config:

modules += "alias"

alias.url += (
 "/.well-known/acme-challenge/" => "/var/tmp/example/.well-known/acme-challenge/"
)

This should work well with --webroot-path /var/tmp/example/ for all domains.

:+1:

Lighttpd support would be great, but anything that I can run via cron, that updates the cert file and restarts the server would be ok, too. Will that be possible?

Thanks for this great project!

lighttpd wants the cert and privkey concatenated together, but the latest letsencrypt client wasn't creating a ssl.pem as mentioned above. Did generating ssl.pem get removed at some point? This will make updating the certs much more difficult.

Upvote!

Upvote.

Upvote.

Upvote

+1

@vvuk:

lighttpd wants the cert and privkey concatenated together, but the latest letsencrypt client wasn't creating a ssl.pem as mentioned above. Did generating ssl.pem get removed at some point? This will make updating the certs much more difficult.

See #1201 which tracks the bundling of cert and privkey

Once cert and privkey are concatenated in the same file, what work would still need to be done to get letsencrypt to work with lighttpd? Has anyone started work on this, in their own fork?

Upvote

Upvote.

:+1:

Upvote. There are many lighttpd users out there using letsencrypt.

+1

+1

upboat :-D

+1!

+1, and thank you!

Hi all,

Please use the emoji reaction "thumbs up" on the topmost post rather than posting +1's or upvotes. Comments after this point consisting of just a +1 will be deleted. Thanks!

any notice?

While we should do this in the long term, I unfortunately think the small Certbot development team probably won't have a chance to get to this for a while. If you'd like to see this, I'd encourage you write your own plugin which we'd happily link to in our third party plugin section or accept a PR to land this feature into this repository.

To help us better see what issues are still affecting our users, this issue has been automatically marked as stale. If you still have this issue with an up-to-date version of Certbot and are interested in seeing it resolved, please add a comment letting us know. If there is no further activity, this issue will be automatically closed.

Hi again. Any notice about this issue?

Greetings

While I largely agree with my past self and would love to do this in the long term, to be honest and realistic, this isn't something the Certbot team will probably ever get to. We just don't have the resources to build/maintain another plugin like this. For that reason, I'm closing this issue and marking it as wontfix.

If someone wants to write their own plugin for lighttpd, we'd happily link to it in our third party plugin section. If you encounter any issues trying to write a 3rd party plugin, please let me know by opening a new issue. While there's always more work for us to do here, I'd like to make writing 3rd party plugins as simple as possible for cases like this where we just can't take on the work ourselves.

People seeing an issue they care about closed as wontfix is never something they like to see, but hopefully the short explanation I provided here makes sense.

(i know this is an old ticket (so are #1201, #5087 and #5909), but it seems, this by now incorrect information has been cargo-culted and hardly ever questioned (including in the archwiki). so for whoever stumbles upon this: )

Note that lighttpd accepts a seperate certificate and private key since 1.4.53 (released jan 2019; mentioned here).

example config:

$SERVER["socket"] == ":443" {
    ssl.pemfile = "/etc/letsencrypt/live/git.gir.st/cert.pem"
    ssl.privkey = "/etc/letsencrypt/live/git.gir.st/privkey.pem"
    ssl.ca-file = "/etc/letsencrypt/live/git.gir.st/fullchain.pem"
}