home | whoami

How to Configure Let’s Encrypt SSL in Lighttpd Server

I asume you already have Lighttpd installed and serving you web site from www root directory, e.g. /srv/example.com/htdocs.

Let's obtain Let's Encrypt SSL certificate for domain example.com:

export DOMAIN="example.com"

certbot certonly -v -n --webroot \
    --webroot-path "/srv/${DOMAIN}/htdocs" \
    -d "$DOMAIN" \
    --agree-tos \
    --email "hostmaster@${DOMAIN}"

You can run above command with --dry-run option to test "renew" or "certonly" without saving any certificates to disk.

After certbot succesfully obtained the certificate, you could find it in /etc/letsencrypt/live/example.com directory.

Accordingly to Lighttpd Secure HTTP wiki page, it's needed to concatenate the private key and certificate into a single PEM file:

cd /etc/letsencrypt/live/${DOMAIN} && \
cat privkey.pem cert.pem > lighttpd.pem && \
cd -

Put SSL config into /etc/lighttpd/conf-enabled/10-ssl.conf:

cat > /etc/lighttpd/conf-enabled/10-ssl.conf << EOF
\$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/letsencrypt/live/$DOMAIN/lighttpd.pem" # default certificate
  \$HTTP["host"] == "$DOMAIN" {
    ssl.pemfile = "/etc/letsencrypt/live/$DOMAIN/lighttpd.pem" # combined certificate
    ssl.ca-file = "/etc/letsencrypt/live/$DOMAIN/chain.pem" # Root CA
  }
EOF

Finally, restart Lighttpd:

service lighttpd restart

and make sure it listens port 443:

netstat -ltp | grep 'https'

You should see something like this:

tcp    0    0 *:https    *:*    LISTEN    10104/lighttpd

Check if your web site is correctlly served via HTTPS using your favourite web browser or with curl:

curl -v --head "https://${DOMAIN}" 2>&1 | grep 'SSL certificate verify ok'

To get even more details, run:

openssl s_client -connect  $DOMAIN:443