Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble

How to configure Lighttpd web server with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux

Recommended Posts

Iread your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04 LTS or Debian Linux 8.x server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score.


Our sample setup

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • Lighttpd DocumentRoot (root) path : /var/www/html/
  • Lighttpd TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP:

Step 1 – Install acme.sh client

Type the following apt-get command/apt command:
$ sudo apt-get install git bc wget curl
Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux

Fig.02: Install git and bc on Ubuntu/Debian Linux


Step 2 – Clone repo

Type the following commands:
$ cd /tmp
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# cd /tmp/acme.sh/
# ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git

Fig.03: Clone the acme.sh client using git

Rest of all command need to be type as root user. Become root user:
$ sudo -i


Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:
# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:
# cd /etc/lighttpd/ssl/cyberciti.biz/
# openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:



Step 6 – Issue a certificate for your domain

The syntax is:
acme.sh --issue -w /server.document-root-path/ -d www.example.com
acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:
# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096
Sample outputs:

Fig.04: Issue a certificate

Fig.04: Issue a certificate


Step 7 – Enable ssl for Lighttpd

Type the following command:
# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
	    ssl.use-compression     = "disable"
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:
# vi /root/.acme.sh/www.cyberciti.biz/hook.sh
Append the following script:

dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:
# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh
Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:
# acme.sh --installcert -d www.cyberciti.biz \
--capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
--reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh'

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443
# netstat -tulpn | grep ':443'
tcp 0 0* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:
# ufw allow proto tcp from any to port 443
Type the following url in your browser:

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.