[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections



Kenneth Parker wrote: 
> 
> I use lighttpd for eyeblinkuniverse.com, with nano as my editor. I don't
> quite understand the Certificates required for https. I guess it is time
> for some lessons.

The easiest thing to do here is to install certbot.

Assuming that your web root is /var/www and your domain name is
eyeblinkuniverse.com:

certbot certonly --webroot -w /var/www -d eyeblinkuniverse.com -d www.eyeblinkuniverse.com

It will ask you some questions, then it should drop some files
in /etc/letsencrypt/live/eyeblinkuniverse.com/

Now you need to combine those files for lighttpd:

cat /etc/letsencrypt/live/eyeblinkuniverse.com/privkey.pem \
/etc/letsencrypt/live/eyeblinkuniverse.com/cert.pem > \
/etc/letsencrypt/live/eyeblinkuniverse/merged.pem

And then tell lighttpd to use it:

$SERVER["socket"] == ":443" {
 ssl.engine   = "enable"
 ssl.ca-file  = "/etc/letsencrypt/live/eyeblinkuniverse.com/chain.pem"
 ssl.pemfile  = "/etc/letsencrypt/live/eyeblinkuniverse.com/merged.pem"
}


And restart lighttpd. Test your new https://www.eyeblinkuniverse.com 

Last step: create a cron job to run once a week that does
this:

certbot renew && \
cat /etc/letsencrypt/live/eyeblinkuniverse.com/privkey.pem \
/etc/letsencrypt/live/eyeblinkuniverse.com/cert.pem > \
/etc/letsencrypt/live/eyeblinkuniverse/merged.pem && \
service lighttpd restart

That should take care of you. If you run into trouble, you're
using the largest issuer of SSL certs and the most popular
client, and the cron job should let you know a month before the
cert actually expires.

-dsr-


Reply to: