Something very small I finally fixed today: Certbot, the tool to get Let's Encrypt SSL/TLS certificates, doesn't support the lighttpd webserver. For some other webservers it can automatically deploy its output and restart the server, but not for lighty. It does automatically renew the certificates every so often, but that doesn't do much good without copying over the files.

Fortunately certbot does have a flag to do whatever you want for deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
    --deploy-hook DEPLOY_HOOK
                            Command to be run in a shell once for each
                            successfully issued certificate. For this command, the
                            shell variable $RENEWED_LINEAGE will point to the
                            config live subdirectory (for example,
                            "/etc/letsencrypt/live/example.com") containing the
                            new certificates and keys; the shell variable
                            $RENEWED_DOMAINS will contain a space-delimited list
                            of renewed certificate domains (for example,
                            "example.com www.example.com" (default: None)

And so, assuming you keep your certificates in /etc/lighttpd/certificate/your.host.name.pem:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env bash

# -e causes the script to exit when any command fails; -u makes undefined
# variable expansions a failure.
set -eu

if [ "$EUID" -ne 0 ]; then
    echo  "Please run as root"
    exit 1
fi

# Get the domain name from the RENEWED_LINEAGE env var
domain=$(basename $RENEWED_LINEAGE)
# Copy the two certificate files to lighty's preferred single-file format
cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/cert.pem \
  > /etc/lighttpd/certificate/$domain.pem
# The full chain is identical between all certs
cp $RENEWED_LINEAGE/fullchain.pem /etc/lighttpd/certificate/

systemctl restart lighttpd

Run certbot [run, renew] --deploy-hook /path/to/lighty-cert-deploy.sh and you're set. The deployment hook is added to certbot's auto-renewal configuration as well, so you can forget about it forever.