Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>
Clone
HTTPS:
git clone https://vervis.peers.community/repos/yEzqv
SSH:
git clone USERNAME@vervis.peers.community:yEzqv
Branches
Tags
Lighttpd_SSL.mdwn
If you followed the [[tools/systems/admin-guides/SSL]] guide, you probably want your website to use the certificate you generated. And even if you don’t run a website, but some other service, you want to make the revocation list and the CA policy page available.
You can also make the CA certificate available on your website, but that’s not the point of this guide. You could also give it to friends on USB sticks or publish it as a torrent or anything like that. What you really need on the server side is:
- Revocation list
- Policy page
- Server key
- Server certificate
If some information is missing from this page, you can probably find it in lighttpd’s documentation, which is more thorough: here
In the SSL guide, the examples set the revocation list to be at the address http://cert.partager.null/partager-ca-crl.pem. Assuming you didn’t use a “cert” subdomain until now, it requires that you update your DNS records (add an A record for the “cert” subdomain). Then, in the lighttpd config file /etc/lighttpd/lighttpd.conf add a section like this:
## cert host
$HTTP["host"] == "cert.partager.null" {
server.document-root = "/var/www/cert"
}Then place the revocation list inside the document root folder, e.g. /var/www/cert/partager-ca-crl.pem.
The policy page is just a regular page on your website, at the address you specified when creating the CA. I use ikiwiki and the page is http://www.partager.null/ssl, so I have an ssl.mdwn file on the top-level of my ikiwiki source repository.
Some servers take the server key and the server certificate as two separate files. But lighttpd doesn’t. It takes a single file which is a concatenation of them. The order doesn’t matter. You can use a command like this to create the concatenated file:
cat host.key host.crt > host.pemPlace the resulting PEM file in the folder /etc/ssl/private (it’s not critical but having all the keys in one folder makes managing them easier). I usually name these files <host>.pem, for example www.partager.null.pem. Make the file readable obly, only by root. These commands can do that:
# chown root:root www.partager.null.pem
# chmod 400 www.partager.null.pemIf you want your website to use only SSL, you can put lines like these in the main configuration file:
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"You may also need to set the server port to 443.
If you want to support both HTTP and HTTPS, you can use $SERVER["socket"] to make lighttpd enable SSL conditionally. For example:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"
$HTTP["host"] == "www.partager.null" {
ssl.pemfile = "/etc/ssl/private/www.partager.null.pem"
}
$HTTP["host"] == "git.partager.null" {
ssl.pemfile = "/etc/ssl/private/git.partager.null.pem"
}
$HTTP["host"] == "files.partager.null" {
ssl.pemfile = "/etc/ssl/private/files.partager.null.pem"
}
}The ssl.pemfile at the top is the default one used when the host is not matched by the $HTTP["host"] clauses. It will probably not be used if you define a pemfile for each host you have, but a default pemfile still must be defined.
Now restart the server:
# service lighttpd restartTry browsing to your website using HTTPS. If you haven’t told your computer and/or your browser to trust your CA, some browers will display a warning while others will load the webpage but signify somehow that the certificate is not authenticated, e.g. by displaying an open lock image. Firefox derivatives will display an error, while Epiphany and Midori will load the page.
After this initial test with the browser, you can go to the [[tools/systems/user-guides]] section and learn how a client is configured to trust your CA. Follow the guidelines, and test HTTPS again. You may need to close and reopen the browser. If you see a closed lock icon and no complaints from the browser, you have successfuly managed to add SSL support to your web server.
[[!img https.png class=“center”]]