document using -t tls-alpn-01 with lighttpd

author Glenn Strauss <gstrauss@gluelogic.com>

Mon, 22 Feb 2021 20:46:58 +0000 (15:46 -0500)

committer Lukas Schauer <lukas2511@users.noreply.github.com>

Sun, 21 Mar 2021 19:42:23 +0000 (20:42 +0100)
author Glenn Strauss <gstrauss@gluelogic.com>
Mon, 22 Feb 2021 20:46:58 +0000 (15:46 -0500)
committer Lukas Schauer <lukas2511@users.noreply.github.com>
Sun, 21 Mar 2021 19:42:23 +0000 (20:42 +0100)
diff --git a/docs/tls-alpn.md b/docs/tls-alpn.md

index bca54f9306948b24231a7220ac8e2af2961d6e3e..fc19698e91a69bb8f5f754ecef9deaefee441211 100644 (file)
--- a/docs/tls-alpn.md
+++ b/docs/tls-alpn.md
@@ -6,6 +6,26 @@ It will do that for any (sub-)domain you want to sign a certificate for.
  
  Dehydrated generates the required verification certificates, but the delivery is out of its scope.
  
+### Example lighttpd config
+
+lighttpd can be configured to recognize ALPN `acme-tls/1` and to respond to such
+requests using the specially crafted TLS certificates generated by dehydrated.
+Configure lighttpd and dehydrated to use the same path for these certificates.
+(Be sure to allow read access to the user account under which the lighttpd
+server is running.) `mkdir -p /etc/dehydrated/alpn-certs`
+
+lighttpd.conf:
+```
+ssl.acme-tls-1 = "/etc/dehydrated/alpn-certs"
+```
+
+When renewing certificates, specify `-t tls-alpn-01` and `--alpn /etc/dehydrated/alpn-certs` to dehydrated, e.g.
+```
+dehydrated -t tls-alpn-01 --alpn /etc/dehydrated/alpn-certs -c --out /etc/lighttpd/certs -d www.example.com
+# gracefully reload lighttpd to use the new certificates by sending lighttpd pid SIGUSR1
+systemctl reload lighttpd
+```
+
  ### Example nginx config
  
  On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls
author	Glenn Strauss <gstrauss@gluelogic.com>
	Mon, 22 Feb 2021 20:46:58 +0000 (15:46 -0500)
committer	Lukas Schauer <lukas2511@users.noreply.github.com>
	Sun, 21 Mar 2021 19:42:23 +0000 (20:42 +0100)