How To Lighttpd Create Self Signed SSL Certificates
If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.
Procedure is as follows:
Step # 1: Create self signed SSL Certificates
Create a directory to store SSL certificate:
# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com
You need to provide information such as country name, your domain name etc.
Step # 2: Configure Lighttpd
Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}
Make sure you replace ip 192.168.1.100 with your actual IP address.
Step # 3: Restart Lighttpd
Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart
Make sure port 443 is open
# netstat -tulpn | grep :443
Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Redirect plain text login page to secure login page
Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file's port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}
You may need to modify your login page to submit form over SSL.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Howto: Linux Lighttpd SSL (secure server layer) https configuration and installation
- Security: OpenSSL Vulnerable to Forged Signatures
- Lighttpd / Apache : Run Xcache in Chrooted Jail
- Lighttpd howto setup cgi-bin access for perl programs
- Howto: Lighttpd web server setting up virtual hosting
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: ca, ca domain name, certificate request, cryptographic protocol, csr, digital certificate, dsa public keys, lighttpd ca certificate, lighttpd https, lighttpd ssl, openssl certificate, pki certificate, public key certificate, secure certificate, secure sockets layer, ssl, ssl ca certificate, ssl certificate, web server certificate, x509 certificates



Correction:
ssl.pemfile = “/etc/lighttpd/ssl/domain.com/domain.com”
Otherwise lighttpd will try to open the directory as the key file and will fail with
SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line
Matt,
Thanks for heads up!
To avoid confusion, example has been modified.
the certificate pops up as if it owned by . how do you fix that