In /etc/lighttpd/lighttpd.conf, I made following two changes.
- commented out include_shell line
- added include line
#include_shell "cat external.conf 2>/dev/null"
include "/etc/lighttpd/external.conf"
After that restarted lighttpd service and now I am not getting SSL errors anymore.
[root@PiHole lighttpd]# cat /var/log/lighttpd/error.log
2020-04-14 22:11:05: (server.c.1488) server started (lighttpd/1.4.55)
Then I checked if server is listening on port#443 or not.
[root@PiHole lighttpd]# ss -tpln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=898,fd=14))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("lighttpd",pid=28913,fd=4))
LISTEN 0 32 0.0.0.0:53 0.0.0.0:* users:(("pihole-FTL",pid=4880,fd=7))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=921,fd=5))
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("lighttpd",pid=28913,fd=5))
LISTEN 0 5 127.0.0.1:4711 0.0.0.0:* users:(("pihole-FTL",pid=4880,fd=14))
LISTEN 0 128 [::]:5355 [::]:* users:(("systemd-resolve",pid=898,fd=16))
LISTEN 0 32 [::]:53 [::]:* users:(("pihole-FTL",pid=4880,fd=9))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=921,fd=7))
LISTEN 0 5 [::1]:4711 [::]:* users:(("pihole-FTL",pid=4880,fd=15))
[root@PiHole lighttpd]#
When I tried to make secure connection using curl from client computer (macbookpro) to pihole server, connection was refused.
pranav@Pranavs-MacBook-Pro ~ % curl -v --insecure https://pihole.homelabusa.com
* Trying 192.168.10.50...
* TCP_NODELAY set
* Connection failed
* connect to 192.168.10.50 port 443 failed: Connection refused
* Failed to connect to pihole.homelabusa.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to pihole.homelabusa.com port 443: Connection refused
pranav@Pranavs-MacBook-Pro ~ %
What you had posted earlier, definitely helped me fix SSL config for lighttpd.
However, I am still not able to make a secure connection to server.
Next logical thing was to test the secure connection using the loopback interface.
[root@PiHole lighttpd]# openssl s_client -showcerts -connect pihole.homelabusa.com:443 </dev/null
CONNECTED(00000003)
139635973666624:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 329 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I still think that something in lighttpd related SSL config in external.conf is not right.
because we still have following error while testing SSL using openssl.
error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112
Could you please guide me on proper way to configure SSL for lighttpd ?