GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → galeone → letsencrypt-lighttpd

galeone / letsencrypt-lighttpd

Licence: MPL-2.0 License
Renew your let's encrypt certificates monthly, using lighttpd as webserver.

Programming Languages

shell
77523 projects

Labels

letsencryptlighttpd

Projects that are alternatives of or similar to letsencrypt-lighttpd

letsencrypt-autorenew-docker
letsencrypt certificate generation and cron enabled autorenewal as a docker image
Stars: ✭ 59 (-10.61%)
Mutual labels:  letsencrypt
mypaas
MyPaas is an Ansible playbook for startups or small companies which want to build a modern and fully automated infrastructure.
Stars: ✭ 24 (-63.64%)
Mutual labels:  letsencrypt
ssltun
simple secure http proxy server with automic https
Stars: ✭ 33 (-50%)
Mutual labels:  letsencrypt
self-hosted-services
A core set of privacy-preserving services that can be easily self-hosted via Docker Compose.
Stars: ✭ 123 (+86.36%)
Mutual labels:  letsencrypt
acme
Go client library implementation for ACME v2 (RFC8555)
Stars: ✭ 77 (+16.67%)
Mutual labels:  letsencrypt
gitlab-docker-rancher-letsencrypt-setup
Automated private dev environment with docker, gitlab CI/CD...
Stars: ✭ 15 (-77.27%)
Mutual labels:  letsencrypt
keycloak-kubernetes
Keycloak deployment into Kubernetes cluster
Stars: ✭ 25 (-62.12%)
Mutual labels:  letsencrypt
yaac
Yet another ACME client: a decoupled LetsEncrypt client
Stars: ✭ 138 (+109.09%)
Mutual labels:  letsencrypt
certbot-dns-ovh
Certbot plugin to respond to DNS-01 challenges by updating the zone.
Stars: ✭ 20 (-69.7%)
Mutual labels:  letsencrypt
mediastack
All in one Docker Compose media server
Stars: ✭ 42 (-36.36%)
Mutual labels:  letsencrypt
letsencrypt-manual-hook
Allows you to use dehydrated (a Let's Encrypt/Acme Client) and DNS challenge response with a DNS provider that requires manual intervention
Stars: ✭ 61 (-7.58%)
Mutual labels:  letsencrypt
acmex
Elixir Client for the Lets Encrypt ACME V2 protocol. [DEPRECATED]
Stars: ✭ 14 (-78.79%)
Mutual labels:  letsencrypt
certbot-dns-schlundtech
SchlundTech XML Gateway DNS Authenticator plugin for EFF's Certbot
Stars: ✭ 14 (-78.79%)
Mutual labels:  letsencrypt
Intranet-Lets-Encrypt-Certification
Guide to setting up a Let's Encrypt SSL certificate for a non-public facing server.
Stars: ✭ 27 (-59.09%)
Mutual labels:  letsencrypt
docker-apache-letsencrypt
This docker-image contains a simple Apache webserver and supports https-encryption by great Let's Encrypt certificates!
Stars: ✭ 65 (-1.52%)
Mutual labels:  letsencrypt
wat
WAT - Windows ACME Tool
Stars: ✭ 28 (-57.58%)
Mutual labels:  letsencrypt
django-template
The ultimate Django template: production ready Django 3.2 with Docker, HTTPS and CI/CD using Github actions ‎️‍🔥
Stars: ✭ 20 (-69.7%)
Mutual labels:  letsencrypt
cert-manager-alidns-webhook
Cert-manager webhook to generate Let's Encrypt certificates over Alibaba Cloud DNS.
Stars: ✭ 31 (-53.03%)
Mutual labels:  letsencrypt
docker-mail-server
Ansible playbooks to deploy a full featured mail server stack using Docker.
Stars: ✭ 47 (-28.79%)
Mutual labels:  letsencrypt
docker-nginx-certbot
Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.
Stars: ✭ 367 (+456.06%)
Mutual labels:  letsencrypt
View All Similar Projects ➔

Let's Encrypt renewal for Lighttpd

This script automatize the renewal process for certificates issued by Let's Encrypt.

Setup Let's Encrypt on Lighttpd (for the first time)

Long story short, run as root:

certbot certonly --manual

Follow the steps required for every domain (and subdomain) and then for every domain do:

cd /etc/letsencrypt/live/yourdomain
cat privkey.pem cert.pem > ssl.pem

My lighttpd configuration follows the following convention:

put every certificate in /etc/lighttpd using the domainname.pem syntax to distinguish them

Every virtual hosts have its own folder in my home.

Therefore, for every virtual host (and for every certificate) my lighttpd.conf looks like

    $SERVER["socket"] == ":443" {
        protocol     = "https://"
        ssl.engine   = "enable"

        ssl.ca-file = "/etc/lighttpd/fullchain.pem"
        ssl.pemfile = "/etc/lighttpd/www.nerdz.eu.pem"
	
	setenv.add-environment = (
        "HTTPS" => "on"
        )
        setenv.add-response-header  = (
        "Strict-Transport-Security" => "max-age=15768000;"
        )
        #
        # Mitigate BEAST attack:
        #
        # A stricter base cipher suite. For details see:
        # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
        #
        ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

        #
        # Make the server prefer the order of the server side cipher suite instead of the client suite.
        # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
        # This option is enabled by default, but only used if ssl.cipher-list is set.
        #
        ssl.honor-cipher-order = "enable"
        #
        # Mitigate CVE-2009-3555 by disabling client triggered renegotation
        # This is enabled by default.
        #
        ssl.disable-client-renegotiation = "enable"
	ssl.ec-curve              = "secp384r1"
	ssl.use-compression     = "disable"
        #
        # Disable SSLv2 because is insecure
        ssl.use-sslv2= "disable"
        #
        # Disable SSLv3 (can break compatibility with some old browser) /cares
        ssl.use-sslv3 = "disable"
    }

Where www.nerdz.eu is the domain. There's another configuration for the document root, that differs from the one above for the line:

ssl.pemfile = "/etc/lighttpd/nerdz.eu.pem"

Monthly renew, using webroot

You have to change the first lines of renew.sh according to your configuration.

You have to change the path of this script in the letsencrypt-lighttpd.service file according to your configuration.

After that, you can activate the montly renew:

cp letsencrypt-lighttpd.* /etc/systemd/system/
systemctl enable letsencrypt-lighttpd.timer

That's all.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].