updates for proper CA chaining (i.e. lighttpd actually presents the i… #14
Conversation
…ntermediate certs properly to clients) and set Acme default back to LE
|
If you're using lighttpd 1.4.56 or later with Let's Encrypt, please simply use the files from Let's Encrypt: With the above, it is not necessary, and not recommended, to set |
I'm still on 1.10x train so I'm on 1.4.35 at this time. |
lighttpd 1.4.35 was released Mar 2014, over 7 years ago. There have been a small, but non-zero number of security bugs fixed in lighttpd in the 26 lighttpd releases since then. |
|
Which is precisely why I deploy it behind an authenticated reverse proxy. |
|
Thanks @bdwilson your updates solve my issues with old CA |
…ntermediate certs properly to clients) and set Acme default back to LE. I also added default provider as Lets Encrypt because the other ones fail due to old certs on EdgeOS. I put instructions on how to update certs from LE in your readme.
Bundling the cert, key and intermediates does not work. You can validate this with openssl:
% openssl s_client -connect 192.168.1.1:443 -servername router.yourdomain.com
If you don't see the chain being delivered and: Verification: OK, then it's messed up. The original author had this split out for a reason.
% openssl s_client -connect 192.168.1.1:443 -servername router.yourdomain.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = router.yourdomain.com
verify return:1
Certificate chain
0 s:CN = router.yourdomain.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
...
SSL handshake has read 4385 bytes and written 439 bytes
Verification: OK