Lighttpd 網頁伺服器 SSL 憑證申請(Let's Encrypt)

1. 加入 Debian 8 "Jessie" Backports 套件庫

# vim /etc/apt/sources.list

deb http://httpredir.debian.org/debian jessie-backports main contrib non-free

2. 安裝 letsencrypt 套件

# apt-get install certbot

3. 申請 SSL 憑證

# certbot certonly --webroot -w /var/www/html -d mydomain.com

4. 混合 privkey.pem 與 cert.pem 成為 ssl.pem

cd /etc/letsencrypt/live/mydomain.com/
cat privkey.pem cert.pem > ssl.pem

(註)產生的 PEM 檔存在 /etc/letsencrypt/live/mydomain.com/ 下面

5. 啟用 lighttpd SSL 功能

# vim /etc/lighttpd/conf-enabled/10-ssl.conf

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/letsencrypt/live/domain.com/ssl.pem"
  ssl.ca-file =  "/etc/letsencrypt/live/domain.com/fullchain.pem"
  ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
  
  ssl.honor-cipher-order = "enable"  
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"  
  
  # Using command "openssl dhparam -out dhparam.pem 4096" 
  # to generate a prime for Diffie-Hellman key exchange.
  ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
  ssl.ec-curve = "secp384r1"  
}

從 lighttpd 1.4.46 起 mod_openssl 成為獨立模組，改為下列設定
# apt-get install lighttpd-mod-openssl

# minimal configuration
server.modules += ("mod_openssl")
$SERVER["socket"] == ":443" {
  # main site SSL
  ssl.engine = "enable"
  ssl.pemfile = "/path/site1/fullchain.pem"
  ssl.privkey = "/path/site1/privkey.pem"
  
  # site2 if need
  $HTTP["host"] == "site2.example.com" {
    ssl.pemfile = "/path/site2/fullchain.pem"
    ssl.privkey = "/path/site2/privkey.pem"
  }  
}

6. 重新續約憑證

由於 Let's Encrypt 發出的憑證僅有 90 天效期，需定期更新以維持憑證效力。
# certbot renew
# cat privkey.pem cert.pem > ssl.pem (路徑 /etc/letsencrypt/live/mydomain.com/)
# /etc/init.d/lighttpd force-reload

7. 線上SSL檢測工具

• Qualys SSL Labs