Lets encrypt multiple domains

Ive gone ahead and read through this guide https://doc.turris.cz/doc/en/public/letencrypt_turris_lighttpd managed to successfully apply it to my main domain, but I want to cover subdomains.

Example: right now its working on
*.XXX.sk

But id like to make it work on
dog.XXX.sk
cat.XXX.sk
mouse.XXX.sk

each and everyone of those subdomains have to have a certificate of their own, correct?

Do I have to repeat the same steps and rename scripts + paths to make it separate?

Or how else should I go about adding more certs for subdomains?

It should be sufficient to add your subdomains in the commands in the script. Just look at the script and append „-d sub1.example.com -d sub2.example.com“ after every occurrence of „-d example.com“.

You will get one certificate that is valid for every added subdomain (you can add other domains exampleX.com too as long as they point to the public ip of your omnia). All additional (sub-)domains are added to the resulting certificate as alternative names

EDIT: It should be sufficient to just add above arguments to this line only:


 # Trigger request to Let's Encrypt (and ensure to have the directory)
 mkdir -p /etc/lighttpd/certs
 "/root/.acme.sh/acme.sh" --issue --standalone -d <DOMAIN> --certhome /etc/lighttpd/certs --ca-path /etc/ssl/certs

Thank you that worked like a charm. One thing that I need to figure out, how to connect to Turris now that its not listening on port 80 ? It seems unable to do so via 192.168.0.1 .

You‘re welcome :). If you followed the howto you mentioned lighttpd should still listen to port 80. If you take a look at the scripts you see that lighttpd is stopped before acme.sh is called and at the end of the scripts lighttpd is restarted.

You are correct. I noticed when trying to use “192.168.0.1” in my browser it automatically calls for https://192 rather than http://192 but im unable to get in regardless via the browser.

What‘s the problem exactly?

Run

 nc -zv <RouterIP> 80

And

 nc -zv <RouterIP> 443

To see if HTTP and HTTPS ports are open.

If you get a certificate warning when connecting through your browser, this is normal because your generated certificate is pinned to your domain example.com and you connect to your router by using your local ip.

To be able to connect to your router via your domain from inside your LAN you have to set up a „split brain dns“, wich is much simpler than it sounds. Follow this guide to tell your local kresd DNS server on your router to bind your domain example.com to your local IP of your router (section „Adding static address records):

https://doc.turris.cz/doc/en/public/dns_knot_misc

EDIT:

You may also have messed up lighttpd‘s config.
Run

/etc/init.d/lighttpd restart

And watch /var/log/messages for error messages regarding lighttpd.

I imidiatelly ran the restart and checked the log because I suspected my fault being at play and well, it is.

2021-02-18 12:05:34 info procd[]: Instance lighttpd::instance1 s in a crash loop 6 crashes, 2 seconds since last crash

Should I post my /etc/lighttpd/lighttpd.conf here?

Thanks in advance

If you didn‘t make any other changes to lighttpd config other than mentioned in the guide just take a look at „ /etc/lighttpd/myconf.d/ssl-enable.conf“ and post it here if you want to, it shouldn’t contain any sensible data.

And make sure your certificates are in place (as configured in the config file above)

ssl-enable conf

# This settings enables https with user-generated self-signed certificate from
# package https-cert

# This package is not meant to be edited, it is part of package lighttpd-https- cert
# If you need different https setup, uninstall this package and create your own configuration

# This settings enables https with Let's Ecnrypt certificate

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
        # due to TLS v1.0 and v1.1 deprication browsers do not accept https on  Turris anymore
        # this helped: (source: https://redmine.lighttpd.net/boards/2/topics/   8536)
         ssl.openssl.ssl-conf-cmd = ("Ciphersuites" =>                          "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")+("Curves" =>          "secp384r1")
         ssl.use-sslv2 = "disable"
         ssl.use-sslv3 = "disable"
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
        # due to TLS v1.0 and v1.1 deprication browsers do not accept https on  Turris anymore
        # this helped: (source: https://redmine.lighttpd.net/boards/2/topics/   8536)
         ssl.openssl.ssl-conf-cmd = ("Ciphersuites" =>                          "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")+("Curves" =>          "secp384r1")
         ssl.use-sslv2 = "disable"
         ssl.use-sslv3 = "disable"
}

last 1/3 of lighttpd.conf

listen on IPv6

$SERVER[“socket”] == “[::]:80” { }

Use IPv6 if available

#include_shell “/usr/share/lighttpd/use-ipv6.pl”

#dir-listing.encoding = “utf-8”
#server.dir-listing = “enable”

include “/etc/lighttpd/mime.conf”
include “/etc/lighttpd/modules.d/.load"
#include "/etc/lighttpd/conf.d/
.conf”

#include “/etc/lighttpd/conf.d/.conf"
include_shell "cat $(ls conf.d/
| grep -v ssl)”
include “/etc/lighttpd/myconf.d/*.conf”

And certs are where they should be but not directly at the location “/etc/lighttpd/certs” but under another subfolder, I should move them up a folder, right? So directly *.cer *.conf etc files are in “/etc/lighttpd/certs”

The certificates should be exactly here:

You can either move the certificates or set the lines above to match the location. As certficates are automatically renewed you should point the lines above to the location where they are created by acme.sh so that renewal can happen without your intervention.

Ive inspected everything once more but it still seems to be in a crash. (lighttpd) Any ideas on how to diagnose it correctly?

You have several options:

See logs in /var/log/lighttpd for some errors.

Run lighttpd manually:

lighttpd -D -f /etc/lighttpd/lighttpd.conf

Use lighttpd‘s syntax test mode:

lighttpd -t -f /etc/lighttpd/lighttpd.conf

I assume you restarted lighttpd after adjusting the config file?

/etc/init.d/lighttpd restart

I have restarted the service of course.

Output of syntax test mode is: OK

Running lighttpd manually comes up with this

root@turris:/etc/lighttpd# lighttpd -D -f /etc/lighttpd/lighttpd.conf
2021-02-18 21:55:19: (mod_openssl.c.748) SSL: SSL_CONF_cmd Protocol ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2, -ALL, TLSv1.3 : error:1414E180:lib(20):func(334):reason(384)
2021-02-18 21:55:19: (server.c.1207) Initialization of plugins failed. Going down.

Try this ssl-enable config (without ssl cipher settings):

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
    ssl.ca-file = "/etc/lighttpd/fullchain.crt"
}

If I try starting it up it stops with this error : (that was happening before, deleting a portion of ssl conf put me further in the direction of another error)

Duplicate config variable in conditional 3 global/SERVERsocket==[::]:443: ssl.engine
2021-02-18 22:20:22: (configfile.c.1316) source: /etc/lighttpd/myconf.d/ssl-enable.conf line: 16 pos: 20 parser failed somehow near here: (EOL)
2021-02-18 22:20:22: (configfile.c.1316) source: /etc/lighttpd/lighttpd.conf line: 42 pos: 1 parser failed somehow near here: (EOL)

But If I delete one of those 443 entries it behaves as if it starts OK ?

lighttpd -D -f /etc/lighttpd/lighttpd.conf
Bottle v0.12.13 server starting up (using FlupFCGIServer(bindAddress=None))…
Listening on http://127.0.0.1:8080/
Hit Ctrl-C to quit.

This looks good, you should be able to start lighthttp through init.d script now. But you disabled either listening on ipv4 or ipv6, so:

Which one did you delete?

This indicates that there is something wrong in ssl-enable.conf in line 16 at position 20, EOL means end of line. Is there a misplaced special character? Is your texteditor using windows EOL insted auf unix EOL?

I deleted this entry:

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/hostkey.pem"
        ssl.ca-file = "/etc/lighttpd/fullchain.crt"
        # due to TLS v1.0 and v1.1 deprication browsers do not accept https on  Turris anymore
        # this helped: (source: https://redmine.lighttpd.net/boards/2/topics/   8536)
         ssl.openssl.ssl-conf-cmd = ("Ciphersuites" =>                          "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")+("Curves" =>          "secp384r1")
         ssl.use-sslv2 = "disable"
         ssl.use-sslv3 = "disable"
}

And Im using “Vi” editor

So this is the ipv6 entry. It should be okay to use ipv4 only for lan access and LuCi should work without it. Nevertheless it should work with ipv6 enabled, too, but I can‘t see what‘s wrong there…

It seems to not crash anymore (with that entry deleted) but even when its started up I cant get into 192.168.0.1 - PR_END_OF_FILE_ERROR

nor can I access any of the 443 port pages - ERR_CONNECTION_TIMED_OUT