Renew your let's encrypt certificates monthly, using lighttpd as webserver.
Clone or download
galeone renew.sh: reload lighttpd or nginx
Restart the lighttpd or nginx service, depending on which webserver are we using
Latest commit a9f6b54 Oct 7, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE First commit Jan 15, 2016
README.md better ssl config after Mozilla SSL Configuration Generator May 7, 2018
letsencrypt-lighttpd.service First commit Jan 15, 2016
letsencrypt-lighttpd.timer Daily renew is the new default Jun 13, 2017
renew.sh renew.sh: reload lighttpd or nginx Oct 7, 2018

README.md

Let's Encrypt renewal for Lighttpd

This script automatize the renewal process for certificates issued by Let's Encrypt.

Setup Let's Encrypt on Lighttpd (for the first time)

Long story short, run as root:

certbot certonly --manual

Follow the steps required for every domain (and subdomain) and then for every domain do:

cd /etc/letsencrypt/live/yourdomain
cat privkey.pem cert.pem > ssl.pem

My lighttpd configuration follows the following convention:

put every certificate in /etc/lighttpd using the domainname.pem syntax to distinguish them

Every virtual hosts have its own folder in my home.

Therefore, for every virtual host (and for every certificate) my lighttpd.conf looks like

    $SERVER["socket"] == ":443" {
        protocol     = "https://"
        ssl.engine   = "enable"

        ssl.ca-file = "/etc/lighttpd/fullchain.pem"
        ssl.pemfile = "/etc/lighttpd/www.nerdz.eu.pem"
	
	setenv.add-environment = (
        "HTTPS" => "on"
        )
        setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=15768000;"
        )
        #
        # Mitigate BEAST attack:
        #
        # A stricter base cipher suite. For details see:
        # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
        #
        ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

        #
        # Make the server prefer the order of the server side cipher suite instead of the client suite.
        # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
        # This option is enabled by default, but only used if ssl.cipher-list is set.
        #
        ssl.honor-cipher-order = "enable"
        #
        # Mitigate CVE-2009-3555 by disabling client triggered renegotation
        # This is enabled by default.
        #
        ssl.disable-client-renegotiation = "enable"
	ssl.ec-curve              = "secp384r1"
	ssl.use-compression     = "disable"
        #
        # Disable SSLv2 because is insecure
        ssl.use-sslv2= "disable"
        #
        # Disable SSLv3 (can break compatibility with some old browser) /cares
        ssl.use-sslv3 = "disable"
    }

Where www.nerdz.eu is the domain. There's another configuration for the document root, that differs from the one above for the line:

ssl.pemfile = "/etc/lighttpd/nerdz.eu.pem"

Monthly renew, using webroot

You have to change the first lines of renew.sh according to your configuration.

You have to change the path of this script in the letsencrypt-lighttpd.service file according to your configuration.

After that, you can activate the montly renew:

cp letsencrypt-lighttpd.* /etc/systemd/system/
systemctl enable letsencrypt-lighttpd.timer

That's all.