Lighttpd crashes when I try to install ssl certs, and edit external.conf

Please follow the below template, it will help us to help you!

Running Pihole with Unbound, OpenSSH, OpenVPN, Wazuh Agent, No other non-standard elements.

Expected Behaviour:

I had Pi-hole running nicely on a raspberrypi with private wildcard SSL certs installed. I would like to serve sites with my FQDN on VPN network only, tun0.

Actual Behaviour:

Tried moving the install to a Digitalocean instance, but I get errors. I set my /etc/lighttpd/external.conf exactly as it was on the raspberrypi, but when restart pihole with a "server lighttpd restart" command I get the following:

Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xeu lighttpd.service" for details.

Chasing those debug messages gives the following:
systemctl status lighttpd.service:

× lighttpd.service - Lighttpd Daemon
     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2022-10-16 19:35:08 UTC; 13s ago
    Process: 11358 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=255/EXCEPTION)
        CPU: 17ms

Oct 16 19:35:08 pihole systemd[1]: lighttpd.service: Control process exited, code=exited, status=255/EXCEPTION
Oct 16 19:35:08 pihole systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 16 19:35:08 pihole systemd[1]: Failed to start Lighttpd Daemon.
Oct 16 19:35:08 pihole systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Oct 16 19:35:08 pihole systemd[1]: Stopped Lighttpd Daemon.
Oct 16 19:35:08 pihole systemd[1]: lighttpd.service: Start request repeated too quickly.
Oct 16 19:35:08 pihole systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Oct 16 19:35:08 pihole systemd[1]: Failed to start Lighttpd Daemon.

journalctl -xeu lighttpd.service:

░░ The process' exit code is 'exited' and its exit status is 255.

There are a bunch of restart messages, I'll post the whole thing if needed

Syslog has this seemingly related line:

pihole Process: 43529 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=255/EXCEPTION)

OS: Ubuntu 22.04.1 LTS x86_64
Cloud Server with : 1 Intel vCPU, 1 GB memory
PiHole v5.12.2
lighttpd v14.63(ssl).

My external.conf was running with a reference to the ca.crt only on the pi, rather than the full chain pem. I'm just not sure how to put the full chain in order if that's the problem

Debug Token: XL9eVej2/

Maybe you can find your answer on Lighttpd Docs: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL

I'm not an expert, but I saw your config is using some Deprecated options:

 ssl.ca-file (recently deprecated, since 1.4.60) renamed ssl.verifyclient.ca-file 

 ssl.cipher-list (deprecated; prefer ssl.openssl.ssl-conf-cmd "CipherString") 
 ssl.honor-cipher-order (deprecated; prefer ssl.openssl.ssl-conf-cmd "Options" => "[+-]ServerPreference")

 ssl.use-sslv2 (deprecated, newer version don't support SSLv2)
 ssl.use-sslv3 (deprecated - disabled by default since 1.4.36)    

Also below might help diagnosing:

Am I on the right path with these changes?

I interpret the Doc you sent as saying that if I add "mod_openssl" to the server modules, then I don't need the following:

ssl.cipher-list     <--  handled with mod_openssl
ssl.honor-cipher-order     <--  handled with mod_openssl

ssl.use-sslv2     <-- depreciated and no longer necessary
ssl.use-sslv3     <-- depreciated and no longer necessary

and the pem and ca.crt files need "verifyclient" like so:

ssl.verifyclient.pemfile = "/etc/lighttpd/ssl/combined.pem"
ssl.verifyclient.ca-file =  "/etc/lighttpd/ssl/ca.crt"

So my updated external.conf looks like this:

#Adding "mod_openssl" to server.modules so it doesn't get overwritten w/ update
server.modules += ("mod_openssl")

$HTTP["host"] == "pihole.war-elf.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.verifyclient.pemfile = "/etc/lighttpd/ssl/combined.pem"
    ssl.verifyclient.ca-file =  "/etc/lighttpd/ssl/ca.crt"
 
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

sudo /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf; echo 0 gives me the following output:

2022-10-17 01:03:03: (mod_openssl.c.2671) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
2022-10-17 01:03:03: (server.c.1282) Initialization of plugins failed. Going down.
0

Check below thread and solution:

Thanks, not sure what I had wrong, but I nuked my external and lighttpd.conf and started over. This config worked just fine.

I think the difference is:

Compared to yours:

In regard to below message:

It is actually a .crt file, I shortened it from the actual file for simplicity:

ssl.ca-file = "/etc/lighttpd/ssl/[redacted].crt"

Maybe I typo'd. I would have made a .pem, but I'm not sure how to put the chain in order, and there are a few files to chain.

No thats not what I mean.
Your old config uses the ssl.verifyclient.pemfile directive instead of ssl.pemfile which was what the message was referring to.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.