Lighttpd no longer working with self-signed cert

Biosko · June 16, 2023, 9:48am

Hello,

After update to TurrisOS 6.3.3, lighttpd with self signed certificate stops working.

My setup:

Disable existing SSL configuration

opkg remove lighttpd-https-cert

Stop updater from automatically reinstalling lighttpd-https-cert package

vi /etc/updater/conf.d/no-upstream-ssl.lua
Uninstall("lighttpd-https-cert", { priority = 60 }

/etc/lighttpd/conf.d/90-turris-root.conf (comment out lines)

#$SERVER["socket"] == "*:80" { }
#$SERVER["socket"] == "[::]:80" { }

/etc/lighttpd/conf.d/40-ssl-enable.conf

# Modern configuration from
# https://ssl-config.mozilla.org/
# Last verified: 22 October 2022
server.port = 443
# Port 80 is disabled, but this doesn't hurt...
$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}
$HTTP["scheme"] == "https" {
# HTTP Strict Transport Security (63072000 seconds)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000"
)
setenv.add-environment = (
"HTTPS" => "on"
)
}
# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
$SERVER["socket"] == ":443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
ssl.privkey = "/etc/lighttpd/certs/router.home.lan/router.home.lan.key"
ssl.pemfile = "/etc/lighttpd/certs/router.home.lan/fullchain.cer"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")

It was working prio to 6.3.x update (I guess my latest was 6.2.x) but after todays update it stops working.
Can somebody help to fix?
Thank you

salty · June 16, 2023, 10:49am

I have this in my own /etc/updater/conf.d/no-upstream-ssl.lua file (the closing parenthesis is missing in yours by the way):

Uninstall("lighttpd-https-cert", { priority = 60 })
Install("lighttpd-mod-openssl")

Biosko · June 16, 2023, 10:50am

Found the root cause

lighttpd -tt -f /etc/lighttpd/lighttpd.conf 
2023-06-16 12:33:41: (../src/configfile.c.279) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives
2023-06-16 12:33:41: (../src/plugin.c.202) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so Error loading shared library /usr/lib/lighttpd/mod_openssl.so: No such file or directory
2023-06-16 12:33:41: (../src/server.c.1285) loading plugins finally failed

So I installed it

opkg install lighttpd-mod-openssl

Biosko · June 16, 2023, 10:52am

Thank you,

Parenthesis was just copy and paste error (config is OK)

But lighttpd-mod-openssl was indeed missing. In version 6.2.x it was working for me without installing it.

Maybe it was in default installation and now its not?

system · June 19, 2023, 10:52am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.