A future release of lighttpd 1.4.x *will not* automatically load mod_openssl

[visnetje]

When running the image with --env 'USE_SSL=true', I'm seeing the following error:

2021-05-29 17:08:24: (configfile.c.59) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives

I guess if you want to make sure the SSL module is included only when you are actually using it, the server.modules line in files/lighttpd.conf needs to be inserted conditionally.

Is that easy to fix?

[visnetje]

I noticed that you are already using sed to do some replacing in Lighttpd configuration files.
Since we know the value of server.modules (set in files/lighttpd.conf), a simple solution might be to add something like this to files/entrypoint.sh:

sed -i -r '/^server\.modules/s# \)#, "mod_openssl" \)#' /etc/lighttpd/lighttpd.conf

In context that could be:

        if [ "$USE_SSL" = true ]; then
                # Do not generate a certificate if user already mapped the file with docker --volume
                if [ ! -e /etc/lighttpd/server.pem ]; then
                        # Generate certificate file as needed
                        cd /etc/lighttpd
                        openssl genrsa -des3 -passout pass:1234 -out server.pass.key 2048
                        openssl rsa -passin pass:1234 -in server.pass.key -out server.key
                        openssl req -new -key server.key -out server.csr \
                                -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
                        openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
                        cat server.key server.crt > server.pem
                        chown "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" server.pem
                        chmod 0600 server.pem
                        rm -f server.pass.key server.key server.csr server.crt
                fi
                # Reconfigure lighttpd to use ssl
                echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf
                echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf
                sed -i -r '/^server\.modules/s# \)#, "mod_openssl" \)#' /etc/lighttpd/lighttpd.conf
        fi

[gstrauss]

Thanks, @visnetje.

I am a lighttpd developer and hope this context helps:
FYI: Historically, openssl TLS support in lighttpd was part of the lighttpd core. When mod_openssl became a standalone module in lighttpd 1.4.46, lighttpd tried to keep compatibility with existing configs by automatically loading mod_openssl. Since lighttpd 1.4.56, lighttpd provides multiple TLS alternatives to mod_openssl, including mod_gnutls, mod_mbedtls, mod_nss, and mod_wolfssl, so the admin has multiple choices for TLS support in lighttpd.

[adferrand]

Thanks for the input. So I will integrate @visnetje to have an explicit load of the TLS module.