User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:public:letencrypt_turris_lighttpd [2018/02/23 06:30]
tristone
en:public:letencrypt_turris_lighttpd [2020/04/29 22:59]
honzaberanku disable tls 1.0 a 1.1
Line 61: Line 61:
  # Trigger request to Let's Encrypt (and ensure to have the directory)  # Trigger request to Let's Encrypt (and ensure to have the directory)
  mkdir -p /​etc/​lighttpd/​certs  mkdir -p /​etc/​lighttpd/​certs
- ​./​acme.sh --issue --standalone -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs --ca-path /​etc/​ssl/​certs+ "/​root/​.acme.sh/acme.sh" ​--issue --standalone -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs --ca-path /​etc/​ssl/​certs
  
  # Prepare the certificates for lighttpd  # Prepare the certificates for lighttpd
- ​./​acme.sh --install-cert -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs ​ --cert-file /​etc/​lighttpd/​host.crt --key-file /​etc/​lighttpd/​host.key --fullchain-file /​etc/​lighttpd/​fullchain.crt --reloadcmd ​ "cat /​etc/​lighttpd/​host.crt /​etc/​lighttpd/​host.key > /​etc/​lighttpd/​hostkey.pem"​+ "/​root/​.acme.sh/acme.sh" ​--install-cert -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs ​ --cert-file /​etc/​lighttpd/​host.crt --key-file /​etc/​lighttpd/​host.key --fullchain-file /​etc/​lighttpd/​fullchain.crt --reloadcmd ​ "cat /​etc/​lighttpd/​host.crt /​etc/​lighttpd/​host.key > /​etc/​lighttpd/​hostkey.pem"​
  
  # Start lighttpd again  # Start lighttpd again
Line 103: Line 103:
         ssl.pemfile = "/​etc/​lighttpd/​hostkey.pem"​         ssl.pemfile = "/​etc/​lighttpd/​hostkey.pem"​
         ssl.ca-file = "/​etc/​lighttpd/​fullchain.crt"​         ssl.ca-file = "/​etc/​lighttpd/​fullchain.crt"​
 +        # due to TLS v1.0 and v1.1 deprication browsers do not accept https on Turris anymore
 +        # this helped: (source: https://​redmine.lighttpd.net/​boards/​2/​topics/​8536)
 +         ​ssl.openssl.ssl-conf-cmd = ("​Ciphersuites"​ => "​TLS_AES_128_GCM_SHA256"​)+("​Protocol"​ => "-ALL, TLSv1.3"​)+("​Curves"​ => "​secp384r1"​)
 +         ​ssl.use-sslv2 = "​disable" ​
 +         ​ssl.use-sslv3 = "​disable" ​
 } }
  
Line 109: Line 114:
         ssl.pemfile = "/​etc/​lighttpd/​hostkey.pem"​         ssl.pemfile = "/​etc/​lighttpd/​hostkey.pem"​
         ssl.ca-file = "/​etc/​lighttpd/​fullchain.crt"​         ssl.ca-file = "/​etc/​lighttpd/​fullchain.crt"​
 +        # due to TLS v1.0 and v1.1 deprication browsers do not accept https on Turris anymore
 +        # this helped: (source: https://​redmine.lighttpd.net/​boards/​2/​topics/​8536)
 +         ​ssl.openssl.ssl-conf-cmd = ("​Ciphersuites"​ => "​TLS_AES_128_GCM_SHA256"​)+("​Protocol"​ => "-ALL, TLSv1.3"​)+("​Curves"​ => "​secp384r1"​)
 +         ​ssl.use-sslv2 = "​disable" ​
 +         ​ssl.use-sslv3 = "​disable" ​
 } }
 </​file>​ </​file>​
Line 136: Line 146:
 cat /​etc/​config/​firewall~ | sed -r "​s/​^(\s*)(option)(\s*)(src_dport)(\s*)'​(80)'​(.*)$/​\1\2\3\4\5'​60806'​\7/"​ > /​etc/​config/​firewall cat /​etc/​config/​firewall~ | sed -r "​s/​^(\s*)(option)(\s*)(src_dport)(\s*)'​(80)'​(.*)$/​\1\2\3\4\5'​60806'​\7/"​ > /​etc/​config/​firewall
 # Update firewall rules to allow access via port 80 from internet to acme.sh # Update firewall rules to allow access via port 80 from internet to acme.sh
- cat  "/​root/​.acme.sh/​add80.gw"​ >> /​etc/​config/​firewall+cat  "/​root/​.acme.sh/​add80.gw"​ >> /​etc/​config/​firewall
 /​etc/​init.d/​firewall reload /​etc/​init.d/​firewall reload
  
Line 143: Line 153:
  
 # Trigger renewal request to Let's Encrypt # Trigger renewal request to Let's Encrypt
-./acme.sh --cron --certhome /​etc/​lighttpd/​certs --ca-path /​etc/​ssl/​certs+"/​root/​.acme.sh/acme.sh" ​--cron --certhome /​etc/​lighttpd/​certs --ca-path /​etc/​ssl/​certs
  
 # Prepare the certificates for lighttpd # Prepare the certificates for lighttpd
-./acme.sh --install-cert -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs ​ --cert-file /​etc/​lighttpd/​host.crt --key-file /​etc/​lighttpd/​host.key --fullchain-file /​etc/​lighttpd/​fullchain.crt --reloadcmd ​ "cat /​etc/​lighttpd/​host.crt /​etc/​lighttpd/​host.key > /​etc/​lighttpd/​hostkey.pem"​+"/​root/​.acme.sh/acme.sh" ​--install-cert -d <​DOMAIN>​ --certhome /​etc/​lighttpd/​certs ​ --cert-file /​etc/​lighttpd/​host.crt --key-file /​etc/​lighttpd/​host.key --fullchain-file /​etc/​lighttpd/​fullchain.crt --reloadcmd ​ "cat /​etc/​lighttpd/​host.crt /​etc/​lighttpd/​host.key > /​etc/​lighttpd/​hostkey.pem"​
  
 # Start lighttpd again # Start lighttpd again