How To Lighttpd Create Self Signed SSL Certificates

by Vivek Gite · 7 comments

Lighttpd logo

If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.

Procedure is as follows:

Step # 1: Create self signed SSL Certificates

Create a directory to store SSL certificate:

# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com

You need to provide information such as country name, your domain name etc.

Step # 2: Configure Lighttpd

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}

Make sure you replace ip 192.168.1.100 with your actual IP address.

Step # 3: Restart Lighttpd

Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart

Make sure port 443 is open
# netstat -tulpn | grep :443

Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Redirect plain text login page to secure login page

Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file's port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}

You may need to modify your login page to submit form over SSL.

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 1 trackback }

Quick way to Lighttpd HTTPS/SSL | florian.demmer.org
12.05.08 at 11:44 am

{ 6 comments… read them below or add one }

1 Matt 12.24.06 at 9:00 am

Correction:

ssl.pemfile = “/etc/lighttpd/ssl/domain.com/domain.com”

Otherwise lighttpd will try to open the directory as the key file and will fail with
SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line

2 nixcraft 12.24.06 at 10:28 am

Matt,

Thanks for heads up!

To avoid confusion, example has been modified.

3 radeone 04.22.07 at 10:45 am

the certificate pops up as if it owned by . how do you fix that

4 DanielS 09.05.08 at 7:42 am

What a wounderful post! It’s been a little tough finding a good, simple, but effective site to help me get https connections working on my lighttpd setup!

Many Thanks! This post helped ALOT!

5 sameera 09.05.08 at 11:34 am

Please help

I’m still getting the following error in FF,

The connection was interrupted….

and i couldn’t do the following line,

chown lighttpd:lighttpd /etc/lighttpd/ssl -R

it says “invalid user”

I’m trying to implement ssl over my ruby app.

please help and thank you for the great post

– sameera

6 Paul 11.30.08 at 11:36 am

Hi,

Thanks for the tutorial!

I discovered that the key generation command asked for information but gave fairly misleading guidance which led to some confusion.

The important one was this prompt:
-> Common Name (eg, YOUR name) []:

This actually needs to be the exact hostname ie “www.domain.com” of the server you’re generating the key for. You’d be forgiven for thinking otherwise!

Info from http://sial.org/howto/openssl/self-signed/

I wonder if you could update the HOWTO to clarify this point?

Thanks,

Paul

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: