Howto use letsencrypt and acme with lighttpd (part 2)

As I wrote in you can't use LuCI with lighttpd to renew a letsencrypt certificate. You need to run acme manually.

There are two issues to tackle. How to renew and how to create the pemfile for lighttpd.

On the first issue, you can wait until 60 days have elapsed but then you need to check every day. I came to the conclusion it's easier to force a renew once every month. Just choose a day and a time and create an entry in /etc/crontabs/root:

For example:

15 4 8 * * /root/bin/renewcertificate >> /root/log/renewcert.log 2>&1

On the second issue, you need to tell acme where to put the certificate after creating it.

By issuing the following command only once you configure acme's certificate paths:

root@router:~# /usr/lib/acme/ --home /etc/acme --install-cert --domain <domain.tld> --cert-file /etc/ssl/private/cert.pem --key-file /etc/ssl/private/key.pem --ca-file /etc/ssl/private/ca.cer --fullchain-file /etc/ssl/private/fullchain.pem

You can check the settings in /etc/acme/<domain.tld>/<domain.tld>.conf

The /root/bin/renewcertificate script ends up like this:

echo "$(date): /etc/init.d/lighttpd stop"
/etc/init.d/lighttpd stop

echo "$(date): issue force renew request"
/usr/lib/acme/ --standalone -f -r --home /etc/acme -d <domain.tld>

echo "$(date): create pemfile for lighttpd"
cd /etc/ssl/private
cat key.pem cert.pem > lighttpd.pem

echo "$(date): /etc/init.d/lighttpd start"
/etc/init.d/lighttpd start
1 Like