I asume you already have Lighttpd installed and serving you web site from www root directory, e.g. /srv/example.com/htdocs.
Let’s obtain Let’s Encrypt SSL certificate for domain example.com:
export DOMAIN="example.com"
certbot certonly -v -n --webroot \
--webroot-path "/srv/${DOMAIN}/htdocs" \
-d "$DOMAIN" \
--agree-tos \
--email "hostmaster@${DOMAIN}"
You can run above command with –dry-run option to test “renew” or “certonly” without saving any certificates to disk.
After certbot succesfully obtained the certificate, you could find it in /etc/letsencrypt/live/example.com directory.
Accordingly to Lighttpd Secure HTTP wiki page, it’s needed to concatenate the private key and certificate into a single PEM file:
cd /etc/letsencrypt/live/${DOMAIN} && \
cat privkey.pem cert.pem > lighttpd.pem && \
cd -
Put SSL config into /etc/lighttpd/conf-enabled/10-ssl.conf:
cat > /etc/lighttpd/conf-enabled/10-ssl.conf << EOF
\$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/$DOMAIN/lighttpd.pem" # default certificate
\$HTTP["host"] == "$DOMAIN" {
ssl.pemfile = "/etc/letsencrypt/live/$DOMAIN/lighttpd.pem" # combined certificate
ssl.ca-file = "/etc/letsencrypt/live/$DOMAIN/chain.pem" # Root CA
}
EOF
Finally, restart Lighttpd:
service lighttpd restart
and make sure it listens port 443:
netstat -ltp | grep 'https'
You should see something like this:
tcp 0 0 *:https *:* LISTEN 10104/lighttpd
Check if your web site is correctlly served via HTTPS using your favourite web browser or with curl:
curl -v --head "https://${DOMAIN}" 2>&1 | grep 'SSL certificate verify ok'
To get even more details, run:
openssl s_client -connect $DOMAIN:443