Setting up SSL for Lighttpd/Django
My latest client Farinaz Taghavi is finally in beta on her site, and one of the last steps to push her live was to set up SSL for her.
Luckily, I’ve done this a number of times, so it was quick and easy to do, but still I had to refer to various reference sites and remember exactly what I do differently than some.
First off, I use the Lighttpd configuration I describe in “Django and Lighttpd Configuration for smooth SSL”, I don’t have any need to vary it much from what I did for my other site, but since I am using Satchmo for my ecommerce engine on this one, I can’t have a separate domain name for my secure and non-secure domains. In other words, I want both http://farinaz.com and https://farinaz.com to work.
The changes are simple, but since it is slightly different, you can download it and modify for your own use: lighttpd_ssl.zip
In that file are the two very important lines:
ssl.pemfile = "/etc/lighttpd/ssl/farinaz.com/farinaz.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/farinaz.com/farinaz.com.crt"
The rest of this article will discuss how to acquire those files.
Creating the Certificate
1. Create a working directory. I always put them in “/etc/lighttpd/ssl/servername“
mkdir -p /etc/lighttpd/ssl/yourserver.com
2. Create your server key, and then (optionally) remove the password from it. The only critical question is “common name”, which must be the domain name you want to secure. In our example, “yourserver.com”
openssl genrsa -des3 -out yourserver.com.key 1024
openssl rsa -in yourserver.com.key -out yourserver.com.nopass.key
3. Create the CSR (Certificate Signing Request) that you’ll be using at the certifying authority to get your cert.
openssl req -new -key yourserver.com.nopass.key -out yourserver.com.csr
4. Copy the text to your clipboard. It will look something like this:
-----BEGIN CERTIFICATE REQUEST-----
[... and so on ...]
-----END CERTIFICATE REQUEST-----
5. Go to a good cheap certificate source. I like to use Name Cheap since they are in fact cheap, their control panel is very usable, and they are not underhanded in business dealings unlike the infamous GoDaddy. (I currently have 49 domains with them!) Namecheap has SSL certs for as low as $12.88 per year.
A short aside. There is no reason I can see for 99% of all site operators to get anything more than the cheapest possible cert from RapidSSL. Ignore all the sales hype. The simple fact is that no one except extreme geeks even know or care about levels of certification, the vetting process, or any of that. It is simply not a factor in purchasing decisions from anything I’ve ever seen, and I used to work for a company that sold expensive certs!
6. After you purchase your cert, the site will ask you what type of system you have. I’ve never seen Lighttpd listed as an option, so you should select “Apache + OpenSSL”
7. Next it will ask for your CSR. Paste in the text you copied in step 4.
8. Make sure you can receive email at the address where the certificate authority will send the confirmation! Wait for it, and click the confirmation link.
9. Wait a few minutes to get your cert.
10. Copy the text of the cert to a file on the server. I just use emacs and paste in the contents of the cert I copied from the email. Save it as “yourserver.crt”.
11. Finally, create your pem file.
cat yourserver.com.nopass.key yourserver.com.crt > yourserver.com.pem
chmod 0600 yourserver.com.pem
12. Verify that lighttpd has SSL.
It should say something like “lighttpd-1.4.11 (ssl).” If it doesn’t then you need to recompile it. Use the instructions on cyberciti.biz for that if you need it.
13. restart the server.
Done. This takes me about 15 minutes, most of that waiting on emails.