Howto use letsencrypt and acme with lighttpd

Once installed acme, socat and luci-app-acme I was able to obtain the certificate. And it works. So far so good.

However, I had to stop lighttpd manually first and I had to create the pem file manually afterwards. Although easy to do how to get this to work automatically?

Is this something for /etc/config/acme? Or should I run acme.sh in a cron as it seems to have the --pre-hook and --post-hook needed?

Two months later I owe you the solution for this issue.

I disabled acme in LuCI as it doesn't disable lighttpd and therefore fails. The DNS mode was not an option so I decided to write a script and run it in a cron job.

The first challenge is when to renew the certificate. The script runs every day at the same time and checks if it is possible to renew.

If it is, it stops the lighttpd webserver, issues the acme renew request and starts the webserver again. This is the result:

#!/bin/sh
LOG=/root/log/renewcert.log
NRT=$(grep Le_NextRenewTime= /etc/acme/<mydomain.com>/<mydomain.com>.conf | sed -e "s,',,g" -e 's,Le_NextRenewTime=,,')
NOW=$(date +%s)

echo | tee -a $LOG

echo "$(date): CurrentTime = $NOW" | tee -a $LOG
echo "$(date): NextRenewTime = $NRT" | tee -a $LOG

if [ $NOW -gt $NRT ]; then

	echo "$(date): Renew certificate" | tee -a $LOG
	echo "$(date): /etc/init.d/lighttpd stop" | tee -a $LOG
	/etc/init.d/lighttpd stop 2>&1 | tee -a $LOG

	/usr/lib/acme/acme.sh --home /etc/acme --renew -d <mydomain.com> \
		--accountemail root@<mydomain.com> --standalone 2>&1 | tee -a $LOG

	echo "$(date): /etc/init.d/lighttpd start" | tee -a $LOG
	/etc/init.d/lighttpd start 2>&1 | tee -a $LOG

	echo "$(date): create pemfile for lighttpd" | tee -a $LOG
	cd /etc/acme/<mydomain.com>
	cat <mydomain.com>.key <mydomain.com>.cer > /etc/lighttpd/ssl/<mydomain.com>.pem 2>&1 | tee -a $LOG

else
	echo "$(date): EstimatedTimeToRenew = $((NRT-NOW))" | tee -a $LOG
fi

As you can see the script creates the correct pemfile for lighttpd from the .key and .cer files created by acme.sh as its --cert-file and --key-file switches don't seem to work.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.