I've recently set up HTTPS on the servers at work, running in parallel
with HTTP. For reasons which were good at the time and are still not
entirely wrong, we're using lighttpd as a front-end, and the process
was less trivial than I'd have preferred.
Because of the system architecture, I wanted DNS validation,
which in practice meant certbot in manual mode. OK, we can do that.
But what to do with the various files it produces? It turns out that
the answer is, and I put this here for anyone else who has to fight
the documentation:
- concatenate cert.pem and privkey.pem to server.pem on the server
- copy chain.pem to the server under that name
- put both those files in the right place, owned and readable only by root
- then include them in the server configuration, as well as a modern
cipher set (note different syntax from Apache, replacing + with -
and space with colon; note also cargo-culted list with obvious
inconsistency)
- and finally, enable HSTS
The server configuration ends up looking like this:
server.modules += ( "mod_setenv" )
setenv.add-response-header = \
( "Strict-Transport-Security" => "max-age=15768000" )
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.ca-file = "/etc/lighttpd/chain.pem"
ssl.cipher-list = "EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:\
EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:\
EECDH-aRSA-SHA256:EECDH-aRSA-RC4:EECDH:EDH-aRSA:RC4:\
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
ssl.honor-cipher-order = "enable"
}
(Note that I don't know whether \ continuations actually work in
lighttpd config - I've just put them in to make it more readable by
splitting up long lines.)
and I have an A+ SSLLabs test result.
Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.