Enabling https access?

I have long been using PiAware on my RPI. Recently, I’m starting to work on setting up my personal blog on my NAS. For added security, I enabled HTTPS and set auto-redirect from HTTP to enabled. Certificate is autorenewed on my NAS and the NAS’s DDNS handles the DNS.

This works fine with accessing my blog and the NAS perfectly. However, I’m not sure how to set RPI to work with https only. I mean I can access it by using my external IP, by using http in incognito mode using my personal domain; but I can’t in normal browsing since either the cookie or something is always forcing me to connect to https when I use my personal domain.

I tried deleting the security policy for my domain. It works for the first time. But as long as I access my blog for once, it will pick up the policy again and start forcing me to go to https…

I was trying to get the same result. I found this site:

One of their setup steps directed me to https://certbot.eff.org/ (for Debian 9 Stretch) and there, after I did the first steps… I got lost at the step that required installation of webroot plug-in.

Don’t really know how you create a certificate though or maybe that is the first step.
Oh yeah it creates a certificate but you will need to allow it in the browser to work.

my NAS have the function to apply for certificate from Let’s Encrypt and automatically renew for me, so I don’t need to worry about its short duration. But I don’t know how to automatically import that to RPI or even how to get it to use any certificate…

I just posted a link how to enable ssl on lighttpd.

Just ssh into the RPI and carry out the instructions on the linked page.


pi@raspberrypi:~ $ cd /etc/lighttpd/certs
-bash: cd: /etc/lighttpd/certs: No such file or directory
pi@raspberrypi:~ $

sudo mkdir /etc/lighttpd/certs

Use sudo for the openssl command as well.

I did that and the web server page is not working anymore.

I had to comment the lines added by this instruction, to bring it back alive.

Then edit /etc/lighttpd/lighttpd.conf and add:

$SERVER[“socket”] == “:443” {
ssl.engine = “enable”
ssl.pemfile = “/etc/lighttpd/certs/lighttpd.pem”

After restarting the webserver, you should be able to access your webserver through https.

Is there a PEM file in that location?
Did you create one ?
Here’s generally how it’s done, but with a cert from a CA. If you did a self-signed one, it pretty much works the same way.


That link that wiedehopf posted starts with creation of the certificate at that location.

So did you check that the creation worked?

Anyway check the logs.

journalctl -e -t lighttpd -n 50 --no-pager

Shoot, there isn’t. What the what…

I guess it needed sudo in front.
LE: Nope, didn’t create one either.

Then the command put out an error?
It should if it’s not creating a pem file.

(maybe openssl is not installed? anyway that’s what error messages are for)

Nope, it went through the whole process, asked me questions and such…
At some questions I have answered with Enter.

LE: I forgot to do CD at beginning so cert was in my home directory. So I have moved it.

Now, if I try to access that page via https I get 404 - Not Found
The http works.

You have changed back the config i assume?

Where did you add the $SERVER thing to the config?
Maybe you put it at the end of the file.
Try it at the beginning.

That’s at the end of config file.

Yeah as i wrote in the edit, try it at the beginning of the config.

Otherwise all the stuff getting defined will not affect the page being served on 443 so there is no page there or somethign :wink:

Got it. Needed to forward the 443 in the router.

I’m so sorry to reply to this later, but I can’t find any more info on this for FlightAware. I’ve done all the steps preformed here, and I’m still getting 404 errors when trying to access the web interface through https. The cert file works fine, I’ve forwarded 443, and I have the edit to the config at the beginning. Sorry for the necropost, but I would really appreciate some help. doesn’t work
but works fine

I have a solution but it may not work for you. First i don’t really care about security accessing it from local network. So this only work for external access. The way I did it was setting up a reverse proxy on my NAS. Basically, when accessing using my personal domain, the router point the secured traffic to my NAS first, and then the NAS further point that traffic to the unsecured port on the RPi. Since my NAS handles all SSL certificates and so on, I find it good solution. If you only have RPi, you have to research into how to set up reverse proxy on RPi as well as handling certificates.