Lighttpd doesn't start with SSL enabled

Hey,

i've used the Tutorial from the FAQ (https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771).

In the end the lighttpd doesn't want to start up anymore. I've allready tried to reinstall the Pi-Hole.

Im running it on a RPI 3B+ with raspbian (debian stretch) and a nextcloud. I've tried multible tutorials but non of them work.

I hope someone can help me. Sorry for the bad english, hope you can understand me.

Thank you in advance.

lighttpd -v
lighttpd/1.4.45 (ssl) - a light and fast webserver
Build-Date: Jan 14 2017 21:07:19

cat lighttpd.conf 
server.modules = (
        "mod_access",
        "mod_accesslog",
        "mod_auth",
        "mod_expire",
        "mod_compress",
        "mod_redirect",
        "mod_setenv",
        "mod_rewrite"
)

server.document-root        = "/var/www/html"
server.error-handler-404    = "pihole/index.php"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80
accesslog.filename          = "/var/log/lighttpd/access.log"
accesslog.format            = "%{%s}t|%V|%r|%s|%b"

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"

# Prevent Lighttpd from enabling Let's Encrypt SSL for every blocked domain
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include uu%p\"\n' 2>/dev/null"

# If the URL starts with /admin, it is the Web interface
$HTTP["url"] =~ "^/admin/" {
    # Create a response header for debugging using curl -I
    setenv.add-response-header = (
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY"
    )

    $HTTP["url"] =~ ".ttf$" {
        # Allow Block Page access to local fonts
        setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
    }
}

# Block . files from being served, such as .git, .github, .gitignore
$HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
}

# Add user chosen options held in external file
include_shell "cat external.conf 2>/dev/null"
 cat external.conf
$HTTP["host"] == "my.myfritz.net" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")
  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/my.myfritz.net-0001/combined.pem"
    ssl.ca-file = "/etc/letsencrypt/live/my.myfritz.net-0001/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }
 # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

 ● lighttpd.service - Lighttpd Daemon
  Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
  Active: failed (Result: exit-code) since Thu 2018-07-05 20:55:06 UTC; 30min ago
  Process: 32226 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf (code=exited, sta
  Process: 32215 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited,
  Main PID: 32226 (code=exited, status=255)

Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Unit entered failed state.
Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Service hold-off time over, scheduling 
Jul 05 20:55:06 raspberrypi systemd[1]: Stopped Lighttpd Daemon.
Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Start request repeated too quickly.
Jul 05 20:55:06 raspberrypi systemd[1]: Failed to start Lighttpd Daemon.
Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Unit entered failed state.
Jul 05 20:55:06 raspberrypi systemd[1]: lighttpd.service: Failed with result 'exit-code'.

Run pihole -d for a debug token. Also run this command: lighttpd -t -f /etc/lighttpd/lighttpd.conf

Thank you for your response.

The debug token is hd250yjil5

lighttpd -t -f /etc/lighttpd/lighttpd.conf
Syntax OK

i've just tried to start lighttpd manually. I'm not sure but maybe this is the problem?

lighttpd -f /etc/lighttpd/lighttpd.conf
2018-07-07 22:00:48: (network.c.464) can't bind to port: 443 Address already in use

I don't see it in use in the debug token, but run sudo netstat -tulpn to see if something is already taking port 443.

I don't see anything which takes the port.

root@raspberrypi:/home/pi# sudo service lighttpd start
root@raspberrypi:/home/pi# lighttpd -f /etc/lighttpd/lighttpd.conf
2018-07-08 20:29:46: (network.c.464) can't bind to port:  443 Address already in use 

root@raspberrypi:/home/pi# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      999        22945      2404/pihole-FTL     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      113        13665      675/mysqld          
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      114        13071      537/redis-server 12 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      0          18250      2118/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          14355      572/sshd            
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      112        13156      591/postgres        
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1000       14307      1228/sshd: pi@pts/0 
tcp6       0      0 ::1:4711                :::*                    LISTEN      999        22947      2404/pihole-FTL     
tcp6       0      0 :::53                   :::*                    LISTEN      0          18252      2118/dnsmasq        
tcp6       0      0 :::22                   :::*                    LISTEN      0          14357      572/sshd            
tcp6       0      0 ::1:5432                :::*                    LISTEN      112        13155      591/postgres        
tcp6       0      0 ::1:6010                :::*                    LISTEN      1000       14306      1228/sshd: pi@pts/0 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           0          18249      2118/dnsmasq        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          14382      371/dhcpcd          
udp        0      0 0.0.0.0:60646           0.0.0.0:*                           108        11001      328/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           108        10999      328/avahi-daemon: r 
udp6       0      0 :::546                  :::*                                0          14391      371/dhcpcd          
udp6       0      0 :::54831                :::*                                108        11002      328/avahi-daemon: r 
udp6       0      0 :::53                   :::*                                0          18251      2118/dnsmasq        
udp6       0      0 :::5353                 :::*                                108        11000      328/avahi-daemon: r 

The result is the same when i leave out the line below.

root@raspberrypi:/home/pi# lighttpd -f /etc/lighttpd/lighttpd.conf

If i comment out the ssl part the server goes up.

root@raspberrypi:/home/pi# sudo service lighttpd start
root@raspberrypi:/home/pi# lighttpd -f /etc/lighttpd/lighttpd.conf
2018-07-08 20:37:46: (network.c.464) can't bind to port:  80 Address already in use 

root@raspberrypi:/home/pi# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      999        22945      2404/pihole-FTL     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      113        13665      675/mysqld          
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      114        13071      537/redis-server 12 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          191192     20756/lighttpd      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      0          18250      2118/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          14355      572/sshd            
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      112        13156      591/postgres        
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1000       14307      1228/sshd: pi@pts/0 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          191194     20756/lighttpd      
tcp6       0      0 ::1:4711                :::*                    LISTEN      999        22947      2404/pihole-FTL     
tcp6       0      0 :::80                   :::*                    LISTEN      0          191193     20756/lighttpd      
tcp6       0      0 :::53                   :::*                    LISTEN      0          18252      2118/dnsmasq        
tcp6       0      0 :::22                   :::*                    LISTEN      0          14357      572/sshd            
tcp6       0      0 ::1:5432                :::*                    LISTEN      112        13155      591/postgres        
tcp6       0      0 ::1:6010                :::*                    LISTEN      1000       14306      1228/sshd: pi@pts/0 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           0          18249      2118/dnsmasq        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          14382      371/dhcpcd          
udp        0      0 0.0.0.0:60646           0.0.0.0:*                           108        11001      328/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           108        10999      328/avahi-daemon: r 
udp6       0      0 :::546                  :::*                                0          14391      371/dhcpcd          
udp6       0      0 :::54831                :::*                                108        11002      328/avahi-daemon: r 
udp6       0      0 :::53                   :::*                                0          18251      2118/dnsmasq        
udp6       0      0 :::5353                 :::*                                108        11000      328/avahi-daemon: r 

As you can see the server binds to 443.

I've found a short manual at a german Ubuntu wiki. It says i should copy the combined-file to /etc/lighttpd/server.pem.

the result is without the config it will start and i can contact the server via https, but i'm not able to change any stetting.

You're starting the service via service and then trying to run the service again manually, this is causing conflicts. If you want to manually start lighttpd via command line then you need to sudo sevice lighttpd stop first. Every lighttpd -f /etc/lighttpd/lighttpd.conf call you make is right after service start so the manual call can't bind to the ports claimed when the service start happened.

sudo service lighttpd start is a shortcut to the systemd service. If you run that command and then type sudo systemctl status lighttpd you'll see that it's already running /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf, which is why your second lighttpd -f /etc/lighttpd/lighttpd.conf call fails every time.

So, to better get an understand of the problem, run sudo service lighttpd stop and then try your lighttpd -f /etc/lighttpd/lighttpd.conf call and see what the result is. If it is not already running and it still can't bind to the ports, we can take a deeper look.

Sorry, i Just wanted to show the diffrence if the Server is really running. However, it says allways 443 is already in use but it doesn't show up in the netstat, no matter if i run stop oder start right before.

root@raspberrypi:/home/pi# sudo service lighttpd stop
root@raspberrypi:/home/pi# lighttpd -f /etc/lighttpd/lighttpd.conf
2018-07-09 06:35:25: (network.c.464) can't bind to port:  443 Address already in use 
root@raspberrypi:/home/pi# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      999        22945      2404/pihole-FTL     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      113        13665      675/mysqld          
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      114        13071      537/redis-server 12 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      0          18250      2118/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          14355      572/sshd            
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      112        13156      591/postgres        
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1000       339766     7704/sshd: pi@pts/0 
tcp6       0      0 ::1:4711                :::*                    LISTEN      999        22947      2404/pihole-FTL     
tcp6       0      0 :::53                   :::*                    LISTEN      0          18252      2118/dnsmasq        
tcp6       0      0 :::22                   :::*                    LISTEN      0          14357      572/sshd            
tcp6       0      0 ::1:5432                :::*                    LISTEN      112        13155      591/postgres        
tcp6       0      0 ::1:6010                :::*                    LISTEN      1000       339765     7704/sshd: pi@pts/0 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           0          18249      2118/dnsmasq        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          14382      371/dhcpcd          
udp        0      0 0.0.0.0:60646           0.0.0.0:*                           108        11001      328/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           108        10999      328/avahi-daemon: r 
udp6       0      0 :::546                  :::*                                0          14391      371/dhcpcd          
udp6       0      0 :::54831                :::*                                108        11002      328/avahi-daemon: r 
udp6       0      0 :::53                   :::*                                0          18251      2118/dnsmasq        
udp6       0      0 :::5353                 :::*                                108        11000      328/avahi-daemon: r 

When i'n looking for the PID it gets a new PID if run

root@raspberrypi:/home/pi# service lighttpd stop
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8357 0.0 0.0 4372 580 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8359 0.0 0.0 4372 584 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8361 0.0 0.0 4372 576 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8363 0.0 0.0 4372 524 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8365 0.0 0.0 4372 572 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8367 0.0 0.0 4372 580 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8369 0.0 0.0 4372 564 pts/0 S+ 06:56 0:00 grep lighttpd
root@raspberrypi:/home/pi# ps aux | grep lighttpd
root 8371 0.0 0.0 4372 544 pts/0 S+ 06:56 0:00 grep lighttpd

i guess its not the the expected behavior. So the Service is starting in a loop?

If in use port 4434 in the conf file, lighttpd starts and accepts connections on both, 443 and 4434.

Ok, looks like i've found the solution.

I take a shot into the dark and tried to disable the SSL mod. After a force reload and editing the https stuff back into the conf, the server is now up an it looks like it uses the config from the conf file.

root@raspberrypi:/home/pi# sudo lighty-disable-mod ssl
Disabling ssl
Run "service lighttpd force-reload" to enable changes
root@raspberrypi:/home/pi# service lighttpd force-reload
root@raspberrypi:/home/pi# nano /etc/lighttpd/external.conf
root@raspberrypi:/home/pi# service lighttpd force-reload

i'm going to test some stuff later. I'll let you know if this is the solution.

Thank you all for your help.

Everythings works now as expected.

Thank you again for your help.

Should I change the Topic to [solved] or something?

There's a solution button, which marks the post solved.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.