Tutorial – Adding SSL to this Lighttpd Blog

Today I am using SSL to add more securities in this Blog, and the SSL is provided by StartCom / StartSSL.
And now, let’s go trough the tutorial for installing SSL in a Lighttpd VPS
How to get Free SSL :

1. Go to StartSSL
2. Click the StartSSL Free
3. Choose the Express Lane, fill the required data, and also make sure you are using valid phone number. We use the phone number for verification.

 
Preparing the Lighttpd VPS for SSL installation :

1. Generate a CSR ( Certificate Signing Request ), and in this example we are using domain www.erawanarifnugroho.com
   
   # mkdir -p /etc/lighttpd/ssl # cd /etc/lighttpd/ssl/

   1 2	# mkdir -p /etc/lighttpd/ssl # cd /etc/lighttpd/ssl/

   
   Create the Private Key :
   
   # openssl genrsa -des3 -out ssl.key 2048

   1	# openssl genrsa -des3 -out ssl.key 2048

   
   Create the CSR :
   
   # openssl req -new -key ssl.key -out ssl.csr

   1	# openssl req -new -key ssl.key -out ssl.csr

   
   You will be prompted to enter domain name and another data. At the “Common Name”, use your domain name, for example www.erawanarifnugroho.com
   Next you will need to submit the csr key to the Certificate Authority, in this case StartCom/StartSSL. Once your order have been validated, you can download the certificate to be used for the Lighttpd VPS.
   Save the Certificate as “certificate.crt” and upload the Certificate to the /etc/lighttpd/ssl
2. Preparing the Certificate
   If we use the encrypted Private Key, Lighttpd will ask the password when restarted. Therefore, we need to decrypt the key so the Lighttpd will not ask the password.
   Decrypting the Private Key :
   
   # openssl rsa -in ssl.key -out no.pwd.key

   1	# openssl rsa -in ssl.key -out no.pwd.key

   
   You will be prompted to enter the password for the Private Key.
   Create the .pem file :
   
   # cat no.pwd.key certificate.crt > ssl.pem

   1	# cat no.pwd.key certificate.crt > ssl.pem

3. Configuring the Lighttpd.conf
   
   # nano /etc/lighttpd/lighttpd.conf

   1	# nano /etc/lighttpd/lighttpd.conf

   
   Add config section :
   
   $SERVER["socket"] == "vps.ip.address:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/ssl.pem" ssl.ca-file = "/etc/lighttpd/ssl/certificate.crt" server.name = "www.erawanarifnugroho.com" server.document-root = "/var/www/www.erawanarifnugroho.com/" server.errorlog = "/var/log/lighttpd/serror.log" accesslog.filename = "/var/log/lighttpd/saccess.log" # The following code is used to secure the SSL from attack ssl.use-sslv2 = "disable" ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"}

   1 2 3 4 5 6 7 8 9 10 11

   $SERVER["socket"] == "vps.ip.address:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/ssl.pem" ssl.ca-file = "/etc/lighttpd/ssl/certificate.crt" server.name = "www.erawanarifnugroho.com" server.document-root = "/var/www/www.erawanarifnugroho.com/" server.errorlog = "/var/log/lighttpd/serror.log" accesslog.filename = "/var/log/lighttpd/saccess.log" # The following code is used to secure the SSL from attack ssl.use-sslv2 = "disable" ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"}

4. Restart the Lighttpd, and all done
   
   # service lighttpd restart

   1	# service lighttpd restart