Hi,
Background:
- Google Cloud Platform (bare vm)
- Ubuntu 20.04
- lighttpd web server (Ver 1.4.55) from Ubuntu software repository
- Lets Encrypt bot installed with Snap (certbot 1.8.0)
https://certbot.eff.org/lets-encrypt/ubuntufocal-other - I have sudo privileges
- Actual domain stderr.me
All was going well right up until I tried to get my site with https://
Everything, including the LetsEncrypt set up, looked like it was successful.
My site was (and still is) fine with just http://
NOTE: I first started looking into this online on the lighttpd forum, but still haven’t found my way through this issue, but it looks like a LetsEncrypt issue at the moment.
lighttpd Forum Post Link: https://redmine.lighttpd.net/boards/2/topics/9370
After setting up LetsEncrypt, I am supposed to add some code (below) to the lighttpd configuration file to read the LetsEncrypt files. After doing that, I try to re-start lighttpd, and fail.
Fail when re-starting lighttpd error:
$ sudo systemctl restart lighttpd
Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.
Code for lighttpd confg file:
server.modules += ("mod_openssl")
$SERVER["socket"] == "My Public IP:443" {
ssl.engine = "enable"
ssl.privkey= "/etc/letsencrypt/live/website.com/privkey.pem"
ssl.pemfile= "/etc/letsencrypt/live/website.com/fullchain.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # (recommended to accept only TLSv1.2 and TLSv1.3)
}
Looking into error logs etc, the one that brings me some defined results is, what lighttpd call, a preFlight check
$ sudo lighttpd -f /etc/lighttpd/lighttpd.conf -tt
2020-09-16 18:32:35: (mod_openssl.c.471) SSL: BIO_read_filename('/etc/letsencrypt/live/website.com/fullchain.pem') failed
2020-09-16 18:32:35: (server.c.1207) Initialization of plugins failed. Going down.
When I check journelctl, I get:
So, lets look at fullchain.pem, as that looks like the item that is failing:
Looking in /etc/letsencrypt/live/website.com/:
lrwxrwxrwx 1 root root 38 Sep 16 12:16 fullchain.pem -> ../../archive/website.com/fullchain1.pem
lrwxrwxrwx 1 root root 36 Sep 16 12:16 privkey.pem -> ../../archive/website.com/privkey1.pem
Yes, the file does exist, and the permissions are as open as can be, and the same as the other key.
So, I followed the links to /etc/letsencrypt/live/archive/website.com/:
-rw-r--r-- 1 root root 1416 Sep 16 12:16 cert1.pem.gz
-rw-r--r-- 1 root root 1206 Sep 16 12:16 chain1.pem.gz
-rw-r--r-- 1 root root 2439 Sep 16 12:16 fullchain1.pem.gz
-rw------- 1 root root 1343 Sep 16 12:16 privkey1.pem.gz
Do these LetsEncrypt directories and file look right? I have nothing to base them on.
Permissions of the failing file are actully greater than the file that (I assume) is being read ok (privkey1.pem).
Does anyone have any suggestions that I could try?