Lighttpd proxy, and letsencrypt renewal

Question

I need some help on this subject. I have many domains in the same lighttpd config, and I will move to letsencrypt cert, so I'm simulating on a dummy server.

I have the following:

$HTTP["url"] !~ "^/.well-known/acme-challenge/.*$" {

        $HTTP["host"] == "autosslxlm3.ddns.net" {

                $SERVER["socket"] == ":443" {
                        ssl.engine = "enable"
                        ssl.ca-file = "/etc/letsencrypt/live/autosslxlm3.ddns.net/chain.pem"
                        ssl.pemfile = "/etc/letsencrypt/live/autosslxlm3.ddns.net/web.pem"
                }
                proxy.balance = "round-robin"
                proxy.server = ("" => (
                        ( "host" => "127.0.0.1", "port" => 8888 ))
                )
        }
}

If I access in https, I get the following error in lighttpd error.log:

no certificate/private key for TLS server name autosslxlm3.ddns.net

Which is not true, as it is there, and if I remove the line

$HTTP["url"] !~ "^/.well-known/acme-challenge/.*$" {

(and of course the closing bracket at the bottom), it works perfectly in https! But that will not make possible to renew the cert, as the /.well-known/... will be forwarded to what's running on port 8888, while it should go to some folder on system.

With the full config, if I also change anything in the pem file location for example, lighttpd will not start, so, it is reading the configuration correctly, but with that first line certificate is considered "invalid" or not present.

lighttpd/1.4.53

Thanks in advance

Answer 1

Configure the socket at the top level, not nested in the other conditions.

$SERVER["socket"] == ":443" { ... }

TLS and certificate selection occur before the HTTP request URL is known, so that $HTTP["url"] condition can not evaluate to true until after the TLS connection is set up.