Howto: Linux Lighttpd SSL (Secure Server Layer) Https Configuration And Installation

by on August 26, 2006 · 15 comments· LAST UPDATED March 25, 2009

in , ,

Lighttpd logo

SSL is cryptographic protocol, which provides secure communications on the Internet for email, web etc.

An SSL certificate is a digital certificate that authenticates the identity of a Web site and encrypts information that is sent to the server using Secure Sockets Layer (SSL) technology. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

SSL is good if you run ecommerce site or accept payments via CC. It is a good choice to use SSL for user login or registration pages etc.

To purchase a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA). The CSR contains your certificate-application information, including your public key. The CSR is generated (using openssl command) with your web server software, which will also create your public/private key pair used for encrypting and decrypting secure transactions.

Requirements

  • Lighttpd webserver with SSL support
  • Dedicated IP assign to your domain i.e. IP based hosting needed
  • SSL certificate from CA
  • Domain name - theos.in (for example purpose I am using theos.in domain)

Important files on your server

  • /etc/lighttpd/theos.in/ - Directory to store SSL certificate and related files
  • /etc/lighttpd/theos.in/theos.in.key - Your private key file. Never ever, give this file to anybody. This is used by Lighttpd to encrypt the server traffic.
  • /etc/lighttpd/theos.in/theos.in.csr - You need to cut/copy and paste this file into the CSR field on the SSL certificate-request page/application form. It includes your public key.
  • /etc/lighttpd/theos.in/theos.in.pem - This file can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. Usually your keys and certificate stored in this file.

Important files issued by CA

Usually a zip file contains following files

  • CA_issuing.crt - Your intermediate certificate or chained root certificate file. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a chain that begins at the trusted root CA, through the intermediate certificate, and ending with the Web Server SSL certificate issued to you. The usage of an intermediate certificate thus provides an added level of security as the Certification Authority (CA) does not need to issue certificates directly from its CA root certificate.
  • theos.in.crt - Your domain certificate

Lighttpd SSL Tutorial

Following are steps to configure SSL under Lighttpd web server.

Step # 1: Generate a certificate signing request (CSR)

First, generate a certificate-signing request using openssl command for your domain theos.in:
# mkdir -p /etc/lighttpd/ssl/theos.in
# cd /etc/lighttpd/ssl/theos.in

Create a RSA key:
# openssl genrsa -des3 -out theos.in.key 1024

Now create a CSR:
# openssl req -new -key theos.in.key -out theos.in.csr

You will be promoted to enter your domain name and other information. Please note that if you are requesting a wild card certificate, prefix an asterisk (*) symbol i.e. *.theos.in. This will secure all subdomains. If you just use theos.in, it will only secure theos.in domain and note www.theos.in.

Now, you need to submit your theos.in.csr file to CA while ordering your certificate. Next, you need to verify your domain ownership. Once your request is approved, you can download the certificate to use with Lighttpd webserver.

Step # 2: Prepare certificate

Your CA will issue you signed Web Server Certificate. The final step in the certificate request process is the installation of the certificate on your Lighttpd Web server.

Now copy downloaded certificate (theos.in.crt) to /etc/lighttpd/ssl/theos.in
# cp theos.in.crt /etc/lighttpd/ssl/theos.in

Now create your final pem file and setup permission:
# cat theos.in.key theos.in.crt > theos.in.pem
# chmod 0600 theos.in.pem
# chown lighttpd:lighttpd /etc/lighttpd/ssl/theos.in -R

Optional: How do I remove the password from key file?

Lighttpd will prompt for the password while starting at port 443. You can remove the password:
# cp theos.in.key theos.in.key.bak
# cp theos.in.pem theos.in.pem.bak
# openssl rsa -in theos.in.key -out no.pwd.theos.in.key
# cat no.pwd.theos.in.key theos.in.crt > theos.in.pem

Step #3: Make sure Lighttpd support SSL

Use following command to verify that Lighttpd support SSL:
[vivek@cyberciti.biz]$ /usr/sbin/lighttpd -v
lighttpd-1.4.11 (ssl) - a light and fast webserver
Build-Date: Jul 12 2006 13:47:40

Otherwise, follow these instructions to build Lighttpd with SSL support.

Step #4: Configure Lighttpd SSL support for your domain

Now open your lighttpd configuration file
# vi /etc/lighttpd/lighttpd.conf

Add config section:
$SERVER["socket"] == "theos.in:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/theos.in/theos.in.pem"
ssl.ca-file = "/etc/lighttpd/theos.in/CA_issuing.crt"
server.name = "theos.in"
server.document-root = "/home/lighttpd/theos.in/https"
server.errorlog = "/var/log/lighttpd/theos.in/serror.log"
accesslog.filename = "/var/log/lighttpd/theos.in/saccess.log"
}

Where,

  • ssl.engine = "enable" : Enable lighttpd SSL support
  • ssl.pemfile = "/etc/lighttpd/theos.in/theos.in.pem" - Your PEM file
  • ssl.ca-file = "/etc/lighttpd/theos.in/CA_issuing.crt" - Your intermediate certificate file

Save and close the file. Restart lighttpd webserver (please note that it will prompt you for SSL private key password):
# /etc/init.d/lighttpd restart

Output:

Password:

Open a web browser and type url https://yourdomain.com (https://theos.in) to test SSL installation.

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 15 comments… read them below or add one }

1 jack August 31, 2006 at 11:50 pm

Hai!

Just wanted to say ‘thank you’ for excellent set of information.

Reply

2 Joe January 30, 2007 at 6:45 pm

Good tutorials on doing some lighttpd tasks that would usually require a significant amount of reading.

Simple, straight forward…keep it up!

Reply

3 sidh April 2, 2008 at 8:01 am

How to create theos.in.crt? can somebody please write down the syntax.

Reply

4 nixCraft April 2, 2008 at 9:02 am

This file issued by CA for a small amount of feed. If you don’t need CA crt generate your own self signed SSL certificates

Reply

5 Adrian May 5, 2008 at 3:59 am

Nice howto, thanks! Only problem is lighttpd wont start on boot because it needs the pass phrase. I’ve written a little bit about that here if anyone is interested.

Reply

6 Maski May 18, 2008 at 8:03 pm

When I restart Lighty, it always asks me for the phrase,.. Enter PEM pass phrase:

Reply

7 nixCraft May 18, 2008 at 9:02 pm

Backup the original key and recreate the key based off the original one without a password.

openssl rsa -in theos.in.key -out new.your.key
cat new.your.key ssl.crt > ssl.pem

Reply

8 webflier August 16, 2008 at 10:05 am

I translated this post into Chinese.
Let me know if I am violated your copyrights.
If so, I will delete the translated articles.
url:
Link

Reply

9 kunal January 6, 2009 at 7:27 am

Can we use name based virtual hosting with ssl with single certificate only if yes then how

Reply

10 Sergiy February 13, 2009 at 1:01 pm

Thank you for the manual.

2kunal certificates are issued for single domain only (or ones for all sub-domains exist). The only way I see for single certificate on multiple domains, is to redirect users to the domain with SSL (for example to the payment page) and than return to the virtual domain.

Reply

11 frspro March 24, 2009 at 3:53 pm

Thanks, great article, very helpful…

I keep on getting “chown: invalid user: `lighttpd:lighttpd’ ” on the last step does anyone have any idea?

Reply

12 nixCraft March 24, 2009 at 6:02 pm

Use your actual username:groupname combo.

Reply

13 dave April 24, 2009 at 5:21 pm

Which would be www-data:www-data in ubuntu.

Reply

14 nixCraft April 24, 2009 at 6:06 pm

They are user:group name to run server.

Reply

15 j0k August 16, 2012 at 11:44 am

Thanks for the tutorial.
Btw, you should talk about the BEAST attack and include the config to add in your file (the `ssl.cipher-list`):

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: