Lighttpd fails after adding SSL to external.conf


#1

Expected Behaviour:

Should be able to access Pi-Hole admin page from pihole.example.com

Actual Behaviour:

When adding the text from the " Enable HTTPS for you Pi-hole web interface FAQ" to the external.conf, lighttpd fails to load with the following error. Active: failed (Result: exit-code)

Debug Token:

Your debug token is: cuzpyaoxfd

Issue:

Following the directions at Enabling HTTPS for your Pi-hole Web Interface. Everything works fine until I edit the external.conf file. Once I add all the SSL information, lighttpd fails to load. I’ve replaced all the pihole.example.com with my information.

pi@raspberrypi:~ $ lighttpd -v
lighttpd/1.4.45 (ssl) - a light and fast webserver
Build-Date: Jan 14 2017 21:07:19

pi@raspberrypi:~ $ lighttpd -t -f /etc/lighttpd/lighttpd.conf
Syntax OK

pi@raspberrypi:~ $ sudo lighttpd -f /etc/lighttpd/lighttpd.conf
2018-12-24 08:12:43: (network.c.464) can't bind to port:  443 Address already in use

sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      342/pihole-FTL      
tcp        0      0 127.0.0.1:43821         0.0.0.0:*               LISTEN      427/cloudflared     
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      342/pihole-FTL      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      592/sshd            
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      427/cloudflared     
tcp6       0      0 ::1:4711                :::*                    LISTEN      342/pihole-FTL      
tcp6       0      0 :::53                   :::*                    LISTEN      342/pihole-FTL      
tcp6       0      0 :::22                   :::*                    LISTEN      592/sshd            
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           427/cloudflared     
udp        0      0 0.0.0.0:53              0.0.0.0:*                           342/pihole-FTL      
udp        0      0 0.0.0.0:68              0.0.0.0:*                           574/dhcpcd          
udp        0      0 0.0.0.0:57024           0.0.0.0:*                           358/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           358/avahi-daemon: r 
udp6       0      0 :::45518                :::*                                358/avahi-daemon: r 
udp6       0      0 :::53                   :::*                                342/pihole-FTL      
udp6       0      0 :::5353                 :::*                                358/avahi-daemon: r 

Looks as though something is taking up port 443, put i don’t see what it is.


#2

Can you post the contents of the external.conf file please?


#3

It is exactly like the example, except the 3 instances of “pihole.example.com”. I’ve replaced those with my server info.

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

#4

What does sudo systemctl status --full --no-pager lighttpd look like? Is there an instance running already that needs to be stopped?


#5
sudo systemctl status --full --no-pager lighttpd

● lighttpd.service - Lighttpd Daemon

Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)

Active: failed (Result: exit-code) since Mon 2018-12-24 07:32:06 PST; 1h 38min ago

Process: 30835 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf (code=exited, status=255)

Process: 30825 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)

 Main PID: 30835 (code=exited, status=255)

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Main process exited, code=exited, status=255/n/a

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Unit entered failed state.

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Failed with result 'exit-code'.

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Service hold-off time over, scheduling restart.

Dec 24 07:32:06 raspberrypi systemd[1]: Stopped Lighttpd Daemon.

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Start request repeated too quickly.

Dec 24 07:32:06 raspberrypi systemd[1]: Failed to start Lighttpd Daemon.

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Unit entered failed state.

Dec 24 07:32:06 raspberrypi systemd[1]: lighttpd.service: Failed with result 'exit-code'.

#6

I don’t know how i would have 2 instances of it running. The only thing I did to product the error is the add the above text into the external.conf, then reboot lighttpd using

sudo service lighttpd restart

If i clear the contents of the external.conf, then restart again, everything works normally.


#7

Try sudo lsof -Pnl +M -i4 and see if that shows what is holding on to port 443 and causing the block.


#8

Looks like the cloudflared app

   >  COMMAND     PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
>     avahi-dae   358      108   12u  IPv4   10155      0t0  UDP *:5353 
>     avahi-dae   358      108   14u  IPv4   10157      0t0  UDP *:57024 
>     cloudflar   427      998    3u  IPv4   13323      0t0  TCP 127.0.0.1:43821 (LISTEN)
>     cloudflar   427      998    5u  IPv4   13326      0t0  UDP 127.0.0.1:5053 
>     cloudflar   427      998    6u  IPv4   13329      0t0  TCP 127.0.0.1:5053 (LISTEN)
>     cloudflar   427      998    7u  IPv4 1010103      0t0  TCP 192.168.1.38:41512->1.1.1.1:443 (ESTABLISHED)
>     dhcpcd      574        0   10u  IPv4   13319      0t0  UDP *:68 
>     sshd        592        0    3u  IPv4   13596      0t0  TCP *:22 (LISTEN)
>     pihole-FT   937      999    4u  IPv4  801462      0t0  UDP *:53 
>     pihole-FT   937      999    5u  IPv4  801463      0t0  TCP *:53 (LISTEN)
>     pihole-FT   937      999   10u  IPv4  804870      0t0  TCP 127.0.0.1:4711 (LISTEN)
>     pihole-FT   937      999   17u  IPv4 1010384      0t0  TCP 192.168.1.38:53->192.168.1.23:40703 (ESTABLISHED)
>     pihole-FT 26722      999    4u  IPv4  801462      0t0  UDP *:53 
>     pihole-FT 26722      999    5u  IPv4  801463      0t0  TCP *:53 (LISTEN)
>     pihole-FT 26722      999   10u  IPv4  804870      0t0  TCP 127.0.0.1:4711 (LISTEN)
>     sshd      32317        0    3u  IPv4  830684      0t0  TCP 192.168.1.38:22->192.168.1.3:62366 (ESTABLISHED)
>     sshd      32331     1000    3u  IPv4  830684      0t0  TCP 192.168.1.38:22->192.168.1.3:62366 (ESTABLISHED)

#9

That looks like it’s actually port 443 on 1.1.1.1 that is open, which is expected. I don’t see anything on your device that has taken over port 443 so you still should be able to bind to it.

Can you try sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf and see if it will load the modules?


#10

And try invoking in the foreground sudo lighttpd -D -f /etc/lighttpd/lighttpd.conf


#11

This returns 2018-12-24 11:51:19: (network.c.464) can't bind to port: 443 Address already in use


#12

Really frustrating. I just recently bought my Raspberry Pi for the sole purpose of running Pi-Hole. I’ve read the instructions at https://docs.pi-hole.net/guides/dns-over-https/ to setup the dns over https through Cloudflared. Then i wanted to be able to access the Pi-hole remotely and setup HTTPS. Those are really the only 2 things i have running on my Raspberry.


#13

Okay, it looks like there is a duplication of directives. Can you run:

sudo ls -lah /etc/lighttpd/conf-enabled

If there are any files in that directory, can you check and see if any reference port 443?


#14

total 8.0K

drwxr-xr-x 2 root root 4.0K Dec 23 09:40 .

drwxr-xr-x 4 root root 4.0K Dec 24 07:31 …

lrwxrwxrwx 1 root root 33 Dec 16 16:07 10-fastcgi.conf -> …/conf-available/10-fastcgi.conf

lrwxrwxrwx 1 root root 40 Dec 23 09:40 10-ssl.conf -> /etc/lighttpd/conf-available/10-ssl.conf

lrwxrwxrwx 1 root root 37 Dec 16 16:07 15-fastcgi-php.conf -> …/conf-available/15-fastcgi-php.conf


#15

Okay, 10-ssl.conf is linked as an active module. That’s being loaded (and if you run sudo cat /etc/lighttpd/conf-available/10-ssl.conf you’ll see a duplicate directive for port 443). If you remove external.conf and restart lighttpd I’m guessing that it will then show that lighttpd is active on port 443.

Potential solution would be to run sudo lighty-disable-mod ssl to disable the 10-ssl.conf configuration. Then you should be able to use external.conf as you have configured and it should work.


#16

hmm. I don’t remember editing this file, but looking at it, it has my custom server settings in it. Do you know what the default file should be for the 10-ssl.conf? Or how i can get it back to default?


#17
# /usr/share/doc/lighttpd/ssl.txt

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd/server.pem"

        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
}

#18

Thanks for your help. Even setting the 10-ssl.conf file back to default didn’t help. Disabling SSL did the trick.


#19

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.