December 22, 2014

Setting up SSL for Lighttpd/Django

My latest client Farinaz Taghavi is finally in beta on her site, and one of the last steps to push her live was to set up SSL for her.

Luckily, I’ve done this a number of times, so it was quick and easy to do, but still I had to refer to various reference sites and remember exactly what I do differently than some.

First off, I use the Lighttpd configuration I describe in "Django and Lighttpd Configuration for smooth SSL", I don’t have any need to vary it much from what I did for my other site, but since I am using Satchmo for my ecommerce engine on this one, I can’t have a separate domain name for my secure and non-secure domains. In other words, I want both http://farinaz.com and https://farinaz.com to work.

The changes are simple, but since it is slightly different, you can download it and modify for your own use: lighttpd_ssl.zip

In that file are the two very important lines:

ssl.pemfile = "/etc/lighttpd/ssl/farinaz.com/farinaz.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/farinaz.com/farinaz.com.crt"

The rest of this article will discuss how to acquire those files.

Creating the Certificate

1. Create a working directory. I always put them in “/etc/lighttpd/ssl/servername

mkdir -p /etc/lighttpd/ssl/yourserver.com
cd /etc/lighttpd/ssl/yourserver.com

2. Create your server key, and then (optionally) remove the password from it. The only critical question is “common name”, which must be the domain name you want to secure. In our example, “yourserver.com”

openssl genrsa -des3 -out yourserver.com.key 1024
openssl rsa -in yourserver.com.key -out yourserver.com.nopass.key

3. Create the CSR (Certificate Signing Request) that you’ll be using at the certifying authority to get your cert.

openssl req -new -key yourserver.com.nopass.key -out yourserver.com.csr
cat yourserver.com.csr

4. Copy the text to your clipboard. It will look something like this:


-----BEGIN CERTIFICATE REQUEST-----
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8G
A1UEBxMIUG9ydGxhbmQxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
[... and so on ...]
2JwW20fix2pFjK22E+jUvNh25cTRWpUKeTt5OEoE3hgkPZCjZPuzvXt7dw5N1CBv
1a9vX8LRMPRd+TtlOEBHhNZ2DLSkzAvTg4RI+1uPLN3KBpRp9FCTaPEmeuLfMBwl
Y7Se
-----END CERTIFICATE REQUEST-----

5. Go to a good cheap certificate source. I like to use Name Cheap since they are in fact cheap, their control panel is very usable, and they are not underhanded in business dealings unlike the infamous GoDaddy. (I currently have 49 domains with them!) Namecheap has SSL certs for as low as $12.88 per year.

A short aside. There is no reason I can see for 99% of all site operators to get anything more than the cheapest possible cert from RapidSSL. Ignore all the sales hype. The simple fact is that no one except extreme geeks even know or care about levels of certification, the vetting process, or any of that. It is simply not a factor in purchasing decisions from anything I’ve ever seen, and I used to work for a company that sold expensive certs!

6. After you purchase your cert, the site will ask you what type of system you have. I’ve never seen Lighttpd listed as an option, so you should select “Apache + OpenSSL”

7. Next it will ask for your CSR. Paste in the text you copied in step 4.

8. Make sure you can receive email at the address where the certificate authority will send the confirmation! Wait for it, and click the confirmation link.

9. Wait a few minutes to get your cert.

10. Copy the text of the cert to a file on the server. I just use emacs and paste in the contents of the cert I copied from the email. Save it as “yourserver.crt”.

11. Finally, create your pem file.

cat yourserver.com.nopass.key yourserver.com.crt > yourserver.com.pemchmod 0600 yourserver.com.pem

12. Verify that lighttpd has SSL.

/usr/local/sbin/lighttpd -v

It should say something like “lighttpd-1.4.11 (ssl).” If it doesn’t then you need to recompile it. Use the instructions on cyberciti.biz for that if you need it.

13. restart the server.

/etc/init.d/lighttpd restart

Done. This takes me about 15 minutes, most of that waiting on emails.

[tags]ssl,lighttpd,satchmo,django[/tags]

Share and Enjoy:
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django
  • services sprite Setting up SSL for Lighttpd/Django

Related posts:

  1. Django and Lighttpd configuration for smooth SSL I use and prefer Lighttpd for serving my Django applications....
  2. Lighttpd 1.5 prerelease doesn't like Django Whew. I spent quite a bit more time debugging this...
  3. Django and Lighttpd init script and config for SSL. I've gotten a lot of interest in my posting about...
  4. Setting up Satchmo on a Debian Server At the request of people on the satchmo-users mailing list,...
  5. Adding AIR mimetype to Lighttpd If you tell Lighttpd about the mimetype for your AIR...

About Bruce Kroeze

Comments

  1. Jaisen says:

    Good tutorial. You’ll also need to remember to make necessary changes to your lighttpd.conf file.

    Put this in the same section you have your document root specified.

    ssl.pemfile = var.confdir + “/ssl/yourdomain.com/yourdomain.com.pem”

    For GoDaddy you’ll need this too.
    ssl.ca-file = var.confdir + “/ssl/gd_intermediate.crt”

  2. me says:

    thanks for this, used it a few times

    dont see why they ever made it this complex!

    What a pain, buy domain, setup dns, setup mail server, mail for emails, blah blah blah!

    BTW, namecheap is currently doing those SSL certs for free when you buy any domain name, its in the checkout proccess somewhere as an option.

    i bought one few weeks ago and noticed it, this time though i did not notice the option for the free cert and had to ask on the Live Chat, the woman added it to my account within seoncds

Speak Your Mind

*