Configuring Let’s Encrypt Certbot on CentOS 7 with lighttpd
Saturday, April 27th, 2019Configuring Let's Encrypt Certbot on CentOS 7 with lighttpd
Installing Certbot
First, install certbot by using the below commands:
sudo yum -y install epel-release sudo yum install certbot
certbot is python based program that allows you to request SSL certificates for your domains.
Request a Certificate
Use the below command to request a certificate (adjust paths and replace the test.com domain as necessary):
sudo certbot certonly --webroot -w /var/www/vhosts/test/httpdocs -d test.com
A certificate has now been stored in /etc/letsencrypt/live. Create a combined certificate format by using the below command (replacing test.com with your real domain):
/bin/cat /etc/letsencrypt/live/test.com/cert.pem /etc/letsencrypt/live/test.com/privkey.pem > /etc/letsencrypt/live/test.com/custom.pem && /bin/chmod 777 /etc/letsencrypt/live/test.com/custom.pem && /sbin/service lighttpd restart
Certificate Renewal Cronjobs
You may want to create a cronjob to renew the certificate and a cronjob for regenerating the combined format certificate since the underlying certificate file can change (such as when it's renewed):
sudo crontab -e
Insert the below cronjobs:
0 1 * * 1 /usr/bin/certbot renew --quiet 5 1 * * 1 /bin/cat /etc/letsencrypt/live/test.com/cert.pem /etc/letsencrypt/live/test.com/privkey.pem > /etc/letsencrypt/live/test.com/custom.pem && /bin/chmod 777 /etc/letsencrypt/live/test.com/custom.pem && /sbin/service lighttpd restart
Save your crontab configuration.
Setting Up Lighttpd to Use SSL Certificate
Edit your default-enabled lighttpd configuration file in /etc/lighttpd/vhosts.d to look similar to the following (replacing test.com with your real domain and adjusting various file paths)
$HTTP["host"] == "test.com" { var.server_name = "test.com" server.name = server_name server.document-root = vhosts_dir + "/test/httpdocs" #accesslog.filename = vhosts_dir + "/test/log" + "/access.log" } $SERVER["socket"] == ":80" { server.document-root = vhosts_dir + "/test/httpdocs" } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/test.com/custom.pem" server.document-root = vhosts_dir + "/test/httpdocs" ssl.ca-file = "/etc/letsencrypt/live/test.com/chain.pem" # Root CA server.name = "test.com" # Domain Name OR Virtual Host Name }
Here's how you can set a different document root for specific https (port 443) virtual hosts:
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/test.com/custom.pem" server.document-root = vhosts_dir + "/test/httpdocs/" ssl.ca-file = "/etc/letsencrypt/live/test.com/chain.pem" # Root CA server.name = "test.com" # Domain Name OR Virtual Host Name $HTTP["host"] =~ "(^|www\.)somethingelse.test.com" { server.document-root = vhosts_dir + "/test/httpdocs/subdir" } }
Save and restart the lighttpd service.
sudo service lighttpd restart
Congrats, SSL is now available on your domain, and your Let's Encrypt certificate has been configured and will be renewed automatically by your cronjob.