Replace lighttpd with uhttpd

EricHughes · February 11, 2024, 11:14pm

Hello everyone,

my goal is to be able to easily access the web interface (Luci) of Turris https secured by a let’s encrypt certificate from the local network.
The acme from the OpenWrt repo in combination with uhttpd offers exactly that. I get the certificate automatically via DNS-API.
Since the implementation with lighttpd seems too complicated to me (certificates have to be converted at least) I would like to replace lighttpd with uhttpd.
Are there any problems here (e.g. with Foris) or is it simply a package swap?

Many thanks in advance.

salty · February 12, 2024, 12:16am

lighttpd and acme-dnsapi work perfectibility fine together without any conversion. What have you tried?

EricHughes · February 12, 2024, 11:47am

Hello salty,

thanks for reply.

I find the Turris guide super cumbersome.

Then I have the following documentation with the corresponding certificate conversion because lighttpd apparently expects .pem certificates.

How did you implement it?

Where in the lighttpd config do I refer to the acme dir? I only have the certificates as .cer .csr and the key.

Greetings

Addendum:
This is a wildcard certificate which I also want to use on other OpenWrt devices. That’s why uhttpd would be the right choice and there is an option in acme to use the certificate for uttpd. Then I would have it directly in the correct format for the other devices.

hagrid · February 12, 2024, 12:22pm

/etc/config/acme

config acme
        option state_dir '/etc/acme'
        option account_email 'name.surname@example.com'
        option debug '0'

config cert 'main'
        option keylength 'ec-256'
        list domains 'router.example.com'    # subjectName
        list domains 'srv1.example.com'    # subjectAltName
        list domains 'srv2.example.com'    # subjectAltName
        option enabled '1'
        option validation_method 'dns'
        option dns 'dns_<provider>'   # see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for list of options
        list credentials '<XX>_Username="<username>"'
        list credentials '<XX>_Password="<password>"'
        option use_staging '0'

Updater and lighttpd modifications for SSL support
Updater configuration
/etc/updater/conf.d/lighttpd-ssl-acme.lua

Uninstall("lighttpd-https-cert", { priority = 60 })
Install("lighttpd-mod-openssl")

Lighttpd SSL configuration
/etc/lighttpd/conf.d/39-ssl-acme.conf

ssl.pemfile = "/etc/acme/www.example.com_ecc/fullchain.cer"
ssl.privkey = "/etc/acme/www.example.com_ecc/www.example.com.key"
ssl.openssl.ssl-conf-cmd = (
  "MinProtocol" => "TLSv1.2",
  "Options" => "-ServerPreference",
  "CipherString" => "ECDHE+AESGCM:ECDHE+AES256:CHACHA20:!SHA1:!SHA256:!SHA384"
)

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
}

$SERVER["socket"] == "[::]:443" {
  ssl.engine = "enable"
}

Nothing more, nothing less. Don’t forget to run the pkgupdate to remove lighttpd-https-cert and install lighttpd-mod-openssl, and in the end restart the lighttpd.

viktor · February 12, 2024, 12:59pm

Candidate for documentation?

EricHughes · February 12, 2024, 6:01pm

Do you happen to have any tips on how I can get the certificates onto the other three OpenWrt devices? A blunt script which copies the data daily via SCP and restarts the web server…
Somehow that seems like a sledgehammer to me.
Or does it make more sense to run a separate acme on each device and then get one certificate per subdomain rather than wildcard?

hagrid · February 12, 2024, 6:31pm

Absolutely.

Post must be at least 20 characters

system · February 15, 2024, 6:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.