Update dietpi-letsencrypt, bug introduced with my last commit

[JappeHallunken]

there can only be one "options" line, otherwise lighttpd fails to restart after running dietpi-letsencrypt

https://dietpi.com/forum/t/lighttpd-fails-after-renewing-letsencrypt/17510/6

[JappeHallunken]

Maybe we now can even delete the line sed -i 's/, "Options" => "-SessionTicket"//' /etc/lighttpd/conf-available/50-dietpi-https.conf which was for bullseye installations, but the line won't be in the file now anyways, so this is obsolete?

Bullseye: Install dedicated TLS module package and keep session tickets enabled, which is safe since Lighttpd v1.4.56: #4294 (comment)

[MichaIng]

Dammit.

There is this Bullseye+ block below to remove the option anyway, but it is not correctly applied after the last change. Let's do like this:

		"Options" => "-ServerPreference,-SessionTicket",
		"CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
	)
}
_EOF_
			# Bullseye: Install dedicated TLS module package and keep session tickets enabled, which is safe since Lighttpd v1.4.56: https://github.com/MichaIng/DietPi/issues/4294#issuecomment-826802056
			if (( $G_DISTRO > 5 ))
			then
				G_AG_CHECK_INSTALL_PREREQ lighttpd-mod-openssl
				G_EXEC sed -i 's/,-SessionTicket//' /etc/lighttpd/conf-available/50-dietpi-https.conf
			fi

Syntax for multiple options comma-separated taken from here: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Perfect-Forward-Secrecy-PFS

EDIT:

which was for bullseye installations

We need to keep this as long as we still do support Buster. I would love to drop support for it soon, but there are still 6% Debian Buster based DietPi systems. I think we again need to wait until the end of the year for this step.

[MichaIng]

The dash negates the individual option. What we want is that clients choose the cipher (from those supported by the server/part of the list) and disable session tickets on Buster. See "Options" syntax here: https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#Options

[JappeHallunken]

yeah I read the manpage also in the meantime and deleted my comment before I saw yours :)

[MichaIng]

We really need to implement an option to apply a self-signed certificate. This would make it so much easier to test everything, also in an automated way via GitHub Actions workflow. I am often too lazy to switch back and forth port forwarding from my production home server to some test system to test dietpi-letsencrypt properly. And also Let's Encrypt has rate limiting which I fear to run into 🙄.

[Joulinar]

do we need to push an updated version or patch? because we have another user on the forum and I have the feeling it will be more until next release in 4 weeks.

[MichaIng]

I'll push a live patch today.

[MichaIng]

Done: #6522

[gstrauss]

And also Let's Encrypt has rate limiting which I fear to run into 🙄.

FYI: you can avoid Let's Encrypt rate limits on their production servers by using Let's Encrypt staging servers: https://letsencrypt.org/docs/staging-environment/

[MichaIng]

Good to know something like this exist, also since this means I do not need to issue a real certificate to test the script. However, best would be a self-signed cert option, to allow automating the tests here on GitHub where runners are not publicly reachable.