Setting up LetsEncrypt on Raspberry PI

First stop lighttpd

sudo service lighttpd stop

Then clone the Letsencrypt repo

git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt

Run the Client

./letsencrypt-auto --agree-dev-preview --server \
  https://acme-v01.api.letsencrypt.org/directory auth

during this procedure it was necessary for me to start lighttpd again. I choosed option One.

Start lighttpd

sudo service lighttpd start

Login as root

sudo su

Go into the Cert Folder

cd /etc/letsencrypt/live/raspberry.redbrain.me/

combine files into one ssl.pem

cat privkey.pem cert.pem > ssl.pem
cd /etc/ssl/certs

Forward Secrecy & Diffie Hellman Ephemeral Parameters

sudo openssl dhparam -out dhparam.pem 4096
server.document-root        = "/home/pi/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 443
ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/letsencrypt/live/raspberry.redbrain.me/ssl.pem"
ssl.ca-file                 = "/etc/letsencrypt/live/raspberry.redbrain.me/fullchain.pem"
ssl.dh-file                 = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve                = "secp384r1"
ssl.honor-cipher-order      = "enable"
ssl.cipher-list             = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression         = "disable"
ssl.use-sslv2               = "disable"
ssl.use-sslv3               = "disable"

setenv.add-response-header  = (
 "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
 "X-Frame-Options" => "DENY",
 "X-Content-Type-Options" => "nosniff"
)

Enable Port Forwarding in your Router for Port 443 and 80.

Open the Firewall for Port 443

sudo ufw allow 443
sudo service lighttpd start

Renewal of Lets Encrypt Certificate

create a cert_renewal.sh Script with following content:

#!/bin/bash
set -x
/usr/bin/certbot renew /tmp/le-renew.log
cd /etc/letsencrypt/live/raspberry.redbrain.me/
cat privkey.pem cert.pem > ssl.pem
service lighttpd restart

Put the cert_renewal.sh to your root Cronjobs

@weekly /home/pi/raspberry/cert_renewal.sh

This check every week the certificate for a renewal

Source:

Last generation on 2024-11-21 00:00:47.

© 2024 Oliver Graute ⋅ hosted on a Raspberry PI ⋅ EmailMastodonTwitterGithubStackoverflowFlickr