This script automatize the renewal process for certificates issued by Let's Encrypt.
Long story short, run as root:
certbot certonly --manual
Follow the steps required for every domain (and subdomain) and then for every domain do:
cd /etc/letsencrypt/live/yourdomain
cat privkey.pem cert.pem > ssl.pem
My lighttpd configuration follows the following convention:
put every certificate in /etc/lighttpd using the domainname.pem syntax to distinguish them
Every virtual hosts have its own folder in my home.
Therefore, for every virtual host (and for every certificate) my lighttpd.conf looks like
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/fullchain.pem"
ssl.pemfile = "/etc/lighttpd/www.nerdz.eu.pem"
setenv.add-environment = (
"HTTPS" => "on"
)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000;"
)
#
# Mitigate BEAST attack:
#
# A stricter base cipher suite. For details see:
# https://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
#
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#
# Make the server prefer the order of the server side cipher suite instead of the client suite.
# This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
# This option is enabled by default, but only used if ssl.cipher-list is set.
#
ssl.honor-cipher-order = "enable"
#
# Mitigate CVE-2009-3555 by disabling client triggered renegotation
# This is enabled by default.
#
ssl.disable-client-renegotiation = "enable"
ssl.ec-curve = "secp384r1"
ssl.use-compression = "disable"
#
# Disable SSLv2 because is insecure
ssl.use-sslv2= "disable"
#
# Disable SSLv3 (can break compatibility with some old browser) /cares
ssl.use-sslv3 = "disable"
}
Where www.nerdz.eu
is the domain.
There's another configuration for the document root, that differs from the one above for the line:
ssl.pemfile = "/etc/lighttpd/nerdz.eu.pem"
You have to change the first lines of renew.sh
according to your configuration.
You have to change the path of this script in the letsencrypt-lighttpd.service
file according to your configuration.
After that, you can activate the montly renew:
cp letsencrypt-lighttpd.* /etc/systemd/system/
systemctl enable letsencrypt-lighttpd.timer
That's all.