How To Lighttpd Create Self Signed SSL Certificates

Lighttpd logo

If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.

ADVERTISEMENTS

Procedure is as follows:

Step # 1: Create self signed SSL Certificates

Create a directory to store SSL certificate:

# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com

You need to provide information such as country name, your domain name etc.

Step # 2: Configure Lighttpd

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}

Make sure you replace ip 192.168.1.100 with your actual IP address.

Step # 3: Restart Lighttpd

Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart

Make sure port 443 is open
# netstat -tulpn | grep :443

Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Redirect plain text login page to secure login page

Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file’s port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}

You may need to modify your login page to submit form over SSL.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
9 comments… add one
  • Matt Dec 24, 2006 @ 9:00

    Correction:

    ssl.pemfile = “/etc/lighttpd/ssl/domain.com/domain.com”

    Otherwise lighttpd will try to open the directory as the key file and will fail with
    SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line

  • 🐧 nixCraft Dec 24, 2006 @ 10:28

    Matt,

    Thanks for heads up!

    To avoid confusion, example has been modified.

  • radeone Apr 22, 2007 @ 10:45

    the certificate pops up as if it owned by . how do you fix that

  • DanielS Sep 5, 2008 @ 7:42

    What a wounderful post! It’s been a little tough finding a good, simple, but effective site to help me get https connections working on my lighttpd setup!

    Many Thanks! This post helped ALOT!

  • sameera Sep 5, 2008 @ 11:34

    Please help

    I’m still getting the following error in FF,

    The connection was interrupted….

    and i couldn’t do the following line,

    chown lighttpd:lighttpd /etc/lighttpd/ssl -R

    it says “invalid user”

    I’m trying to implement ssl over my ruby app.

    please help and thank you for the great post

    — sameera

  • Paul Nov 30, 2008 @ 11:36

    Hi,

    Thanks for the tutorial!

    I discovered that the key generation command asked for information but gave fairly misleading guidance which led to some confusion.

    The important one was this prompt:
    -> Common Name (eg, YOUR name) []:

    This actually needs to be the exact hostname ie “www.domain.com” of the server you’re generating the key for. You’d be forgiven for thinking otherwise!

    Info from http://sial.org/howto/openssl/self-signed/

    I wonder if you could update the HOWTO to clarify this point?

    Thanks,

    Paul

  • zman May 2, 2010 @ 15:09

    Thanks for the tutorial, but lighttpd with openssl produce error:
    (network.c.601) SSL: failed to initialize TLS servername callback, openssl library does not support TLS servername extension

    freebsd 7.3
    openssl-0.9.8m
    lighttpd-1.4.26

  • PJ May 17, 2012 @ 13:17

    Really helpful guides for lighttpd. I got up and running in no time. Thanks a lot!

  • JAY Jan 4, 2014 @ 20:49

    Worked great for me first time. Not one issue. Great instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.