How To Lighttpd Create Self Signed SSL Certificates

by on October 19, 2006 · 9 comments· LAST UPDATED April 2, 2008

in , ,

Lighttpd logo

If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.

Procedure is as follows:

Step # 1: Create self signed SSL Certificates

Create a directory to store SSL certificate:

# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com

You need to provide information such as country name, your domain name etc.

Step # 2: Configure Lighttpd

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}

Make sure you replace ip 192.168.1.100 with your actual IP address.

Step # 3: Restart Lighttpd

Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart

Make sure port 443 is open
# netstat -tulpn | grep :443

Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Redirect plain text login page to secure login page

Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file's port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}

You may need to modify your login page to submit form over SSL.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 9 comments… read them below or add one }

1 Matt December 24, 2006 at 9:00 am

Correction:

ssl.pemfile = “/etc/lighttpd/ssl/domain.com/domain.com”

Otherwise lighttpd will try to open the directory as the key file and will fail with
SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line

Reply

2 nixCraft December 24, 2006 at 10:28 am

Matt,

Thanks for heads up!

To avoid confusion, example has been modified.

Reply

3 radeone April 22, 2007 at 10:45 am

the certificate pops up as if it owned by . how do you fix that

Reply

4 DanielS September 5, 2008 at 7:42 am

What a wounderful post! It’s been a little tough finding a good, simple, but effective site to help me get https connections working on my lighttpd setup!

Many Thanks! This post helped ALOT!

Reply

5 sameera September 5, 2008 at 11:34 am

Please help

I’m still getting the following error in FF,

The connection was interrupted….

and i couldn’t do the following line,

chown lighttpd:lighttpd /etc/lighttpd/ssl -R

it says “invalid user”

I’m trying to implement ssl over my ruby app.

please help and thank you for the great post

— sameera

Reply

6 Paul November 30, 2008 at 11:36 am

Hi,

Thanks for the tutorial!

I discovered that the key generation command asked for information but gave fairly misleading guidance which led to some confusion.

The important one was this prompt:
-> Common Name (eg, YOUR name) []:

This actually needs to be the exact hostname ie “www.domain.com” of the server you’re generating the key for. You’d be forgiven for thinking otherwise!

Info from http://sial.org/howto/openssl/self-signed/

I wonder if you could update the HOWTO to clarify this point?

Thanks,

Paul

Reply

7 zman May 2, 2010 at 3:09 pm

Thanks for the tutorial, but lighttpd with openssl produce error:
(network.c.601) SSL: failed to initialize TLS servername callback, openssl library does not support TLS servername extension

freebsd 7.3
openssl-0.9.8m
lighttpd-1.4.26

Reply

8 PJ May 17, 2012 at 1:17 pm

Really helpful guides for lighttpd. I got up and running in no time. Thanks a lot!

Reply

9 JAY January 4, 2014 at 8:49 pm

Worked great for me first time. Not one issue. Great instructions.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: