Turris logo

User Tools

Site Tools

This documentation is no longer maintained by the Turris team (although it can be used by the community to share content). The current official documentation is at docs.turris.cz.
You are here: Project: Turris » Archive and community documentation » Community documentation » Let's Encrypt with Lighttpd (Simple)

Table of Contents

Let's Encrypt with Lighttpd (Simple)

This is a guide about how to use Let’s Encrypt certificates on a Turris Omnia router.

This guide assumes that you already have a (dynamic) domain pointing to your router and that it’s IP is updated when the IP of your router changes. It also assumes that you don't forward port 80 to any other device in your network.

In this guide we'll not change any files that were pre-installed. We'll only add new files. (With the exception of the self-signed TLS certificate that was generated on your router when it first started.)

The guide was first published on brainfood.xyz.

If your share this steps, please link either to this site or to the original article.

Connect to your Router

For any of these steps, you need to ssh to your router: 

ssh root@your-router.domain

Install acme.sh

The following command will install acme.sh (a Let's Encrypt client) in /root/.acme.sh/ and create a cronjob for it. Adjust the email address to receive emails should a certificate expire. 

cd /root
curl https://get.acme.sh | sh

Set default ACME Server

acme.sh v3.0 (released August, 2021) uses ZeroSSL as its default CA (more info). LetsEncrypt remains fully supported, but it must be explicitly chosen as the default ACME server: 

./.acme.sh/acme.sh --set-default-ca --server letsencrypt

Register Account with CA

EMAIL=email@your-router.domain
./.acme.sh/acme.sh --accountemail "$EMAIL" --register-account # First Time Only
./.acme.sh/acme.sh --accountemail "$EMAIL" --update-account

Configure Lighttpd

We’re going to use acme.sh in webroot mode. Therefore we must slightly extend lighttpd’s config. 

echo 'alias.url += ( "/.well-known/acme-challenge/" => "/www/letsencrypt/.well-known/acme-challenge/")' \
     > /etc/lighttpd/conf.d/letsencrypt.conf
mkdir -p /www/letsencrypt/.well-known/acme-challenge/

Lighttpd must be restarted for the above configuration to take effect: 

/etc/init.d/lighttpd restart

Configure the Firewall

This adds a rule to your firewall which is disabled by default. When enabled, the rule allows traffic to port 80 on your router. Every time a certificate is renewed, this rule will be temporarily enabled. It will automatically get disabled after the certificate was renewed. 

uci set firewall.letsencrypt=rule
uci set firewall.letsencrypt.target=ACCEPT
uci set firewall.letsencrypt.src=wan
uci set firewall.letsencrypt.proto=tcp
uci set firewall.letsencrypt.dest_port=80
uci set firewall.letsencrypt.name='allow http on wan'
uci set firewall.letsencrypt.enabled=0
uci commit firewall
/etc/init.d/firewall reload

Note: Make sure, that traffic from wan zone to the input chain is allowed!

Issue the First Certificate

DOMAIN=your-router.domain
/root/.acme.sh/acme.sh \
    --issue \
    -d "$DOMAIN" \
    -w /www/letsencrypt/ \
    --pre-hook "uci set firewall.letsencrypt.enabled=1; uci commit firewall; /etc/init.d/firewall reload" \
    --post-hook "uci set firewall.letsencrypt.enabled=0; uci commit firewall; /etc/init.d/firewall reload" \
    --reloadcmd "cat /root/.acme.sh/$DOMAIN/$DOMAIN.cer /root/.acme.sh/$DOMAIN/$DOMAIN.key > /etc/lighttpd-self-signed.pem; /etc/init.d/lighttpd restart"

acme.sh will automatically renew the certificate after it’s issued for the first time.

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International