Replace lighttpd with uhttpd

Hello everyone,

my goal is to be able to easily access the web interface (Luci) of Turris https secured by a let’s encrypt certificate from the local network.
The acme from the OpenWrt repo in combination with uhttpd offers exactly that. I get the certificate automatically via DNS-API.
Since the implementation with lighttpd seems too complicated to me (certificates have to be converted at least) I would like to replace lighttpd with uhttpd.
Are there any problems here (e.g. with Foris) or is it simply a package swap?

Many thanks in advance.

lighttpd and acme-dnsapi work perfectibility fine together without any conversion. What have you tried?

Hello salty,

thanks for reply.

I find the Turris guide super cumbersome.

Then I have the following documentation with the corresponding certificate conversion because lighttpd apparently expects .pem certificates.

How did you implement it?

Where in the lighttpd config do I refer to the acme dir? I only have the certificates as .cer .csr and the key.


This is a wildcard certificate which I also want to use on other OpenWrt devices. That’s why uhttpd would be the right choice and there is an option in acme to use the certificate for uttpd. Then I would have it directly in the correct format for the other devices.


config acme
        option state_dir '/etc/acme'
        option account_email ''
        option debug '0'

config cert 'main'
        option keylength 'ec-256'
        list domains ''    # subjectName
        list domains ''    # subjectAltName
        list domains ''    # subjectAltName
        option enabled '1'
        option validation_method 'dns'
        option dns 'dns_<provider>'   # see for list of options
        list credentials '<XX>_Username="<username>"'
        list credentials '<XX>_Password="<password>"'
        option use_staging '0'

Updater and lighttpd modifications for SSL support
Updater configuration

Uninstall("lighttpd-https-cert", { priority = 60 })

Lighttpd SSL configuration

ssl.pemfile = "/etc/acme/www.example.com_ecc/fullchain.cer"
ssl.privkey = "/etc/acme/www.example.com_ecc/"
ssl.openssl.ssl-conf-cmd = (
  "MinProtocol" => "TLSv1.2",
  "Options" => "-ServerPreference",
  "CipherString" => "ECDHE+AESGCM:ECDHE+AES256:CHACHA20:!SHA1:!SHA256:!SHA384"

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"

$SERVER["socket"] == "[::]:443" {
  ssl.engine = "enable"

Nothing more, nothing less. Don’t forget to run the pkgupdate to remove lighttpd-https-cert and install lighttpd-mod-openssl, and in the end restart the lighttpd.


Candidate for documentation?

Do you happen to have any tips on how I can get the certificates onto the other three OpenWrt devices? A blunt script which copies the data daily via SCP and restarts the web server…
Somehow that seems like a sledgehammer to me.
Or does it make more sense to run a separate acme on each device and then get one certificate per subdomain rather than wildcard?


Post must be at least 20 characters

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.