Table of Contents

Set Let's Encrypt certificate for web GUI

Requirements:

This article describes how to configure default lighttpd of Turris to use Let's Encrypt certificate and how to automatically renew the certificate.

Installation

Use the acme.sh script which is quite simple and have no prerequisites.
https://github.com/Neilpang/acme.sh

wget -O - https://get.acme.sh | sh

For more options: https://github.com/Neilpang/acme.sh/wiki/How-to-install

New certificate

Some notes:

All things are going to happen in /root/.acme.sh (default setup)

Create file add80.gw (vi add80.gw)

add80.gw
 config redirect
         option target 'DNAT'
         option src 'wan'
         option dest 'lan'
         option proto 'tcp'
         option src_dport '80'
         option dest_ip '<TURRIS_IP>'  
         option dest_port '80'
         option name 'Turris  Lets encrypt'

Create file get_acme.sh (vi get_acme.sh)

get_acme.sh
 #!/bin/bash
 VER=1.1.0
 
 # Backup firewall config
 cp /etc/config/firewall  /etc/config/firewall~
 # Update firewall rules to remove any forward of port 80 on WAN (temporary port is 608036)
 cat /etc/config/firewall~ | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(80)'(.*)$/\1\2\3\4\5'60806'\7/" > /etc/config/firewall
 # Update firewall rules to allow access via port 80 from internet to acme.sh
 cat  "/root/.acme.sh/add80.gw" >> /etc/config/firewall
 /etc/init.d/firewall reload
 
 # Stop lighttpd as acme.sh is starting its own daemon
 /etc/init.d/lighttpd stop
 
 # Trigger request to Let's Encrypt (and ensure to have the directory)
 mkdir -p /etc/lighttpd/certs
 "/root/.acme.sh/acme.sh" --issue --standalone -d <DOMAIN> --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
 
 # Prepare the certificates for lighttpd
 "/root/.acme.sh/acme.sh" --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs  --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key --fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd  "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
 
 # Start lighttpd again
 /etc/init.d/lighttpd start
 
 # Restore firewall to original state
 mv /etc/config/firewall~ /etc/config/firewall
 /etc/init.d/firewall reload

Make the file readable and go.

chmod u+x /root/.acme.sh/get_acme.sh
/root/.acme.sh/get_acme.sh

Now the certificates are acquired and prepared for lighttpd.

Make a copy of SSL configuration file:

mkdir /etc/lighttpd/myconf.d
cp /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/myconf.d/

Update the configuration file /etc/lighttpd/lighttpd.conf as follows:

#include "/etc/lighttpd/conf.d/*.conf"
include_shell "cat $(ls conf.d/* | grep -v ssl)"
include "/etc/lighttpd/myconf.d/*.conf"

Update the configuration file /etc/lighttpd/myconf.d/ssl-enable.conf as follows:

# This settings enables https with Let's Ecnrypt certificate

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}

Then restart the lighttpd once more to load the Let's Encrypt certificate - /etc/init.d/lighttpd restart

Certificate renewal

Situation is very similar to new certificate. So the add80.gw will be reused.

Some notes (again):

Create file renew_acme.sh (vi renew_acme.sh)

renew_acme.sh
#!/bin/bash
VER=1.1.0
 
# Backup firewall config
cp /etc/config/firewall  /etc/config/firewall~
# Update firewall rules to remove any forward of port 80 on WAN (temporary port is 60806)
cat /etc/config/firewall~ | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(80)'(.*)$/\1\2\3\4\5'60806'\7/" > /etc/config/firewall
# Update firewall rules to allow access via port 80 from internet to acme.sh
cat  "/root/.acme.sh/add80.gw" >> /etc/config/firewall
/etc/init.d/firewall reload
 
# Stop lighttpd as acme.sh is starting its own daemon
/etc/init.d/lighttpd stop
 
# Trigger renewal request to Let's Encrypt
"/root/.acme.sh/acme.sh" --cron --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs
 
# Prepare the certificates for lighttpd
"/root/.acme.sh/acme.sh" --install-cert -d <DOMAIN> --certhome /etc/lighttpd/certs  --cert-file /etc/lighttpd/host.crt --key-file /etc/lighttpd/host.key --fullchain-file /etc/lighttpd/fullchain.crt --reloadcmd  "cat /etc/lighttpd/host.crt /etc/lighttpd/host.key > /etc/lighttpd/hostkey.pem"
 
# Start lighttpd again
/etc/init.d/lighttpd start
 
# Restore firewall to original state
mv /etc/config/firewall~ /etc/config/firewall
/etc/init.d/firewall reload

Now just make it executable

chmod u+x renew_acme.sh

As last step add this into cron with your own frequency and time. Let's Ecnrypt suggests daily but once a week should be enough. To edit cron use crontab -e

10 0 * * * "/root/.acme.sh"/renew_acme.sh > /dev/null