How to configure Lighttpd web server with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux

Posted on in Categories , , , last updated March 13, 2017

I read your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04 LTS or Debian Linux 8.x server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score.

Our sample setup

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux
Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux
  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • Lighttpd DocumentRoot (root) path : /var/www/html/
  • Lighttpd TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP: 74.86.26.69

Step 1 – Install acme.sh client

Type the following apt-get command/apt command:
$ sudo apt-get install git bc wget curl
Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux
Fig.02: Install git and bc on Ubuntu/Debian Linux

Step 2 – Clone repo

Type the following commands:
$ cd /tmp
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# cd /tmp/acme.sh/
# ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git
Fig.03: Clone the acme.sh client using git

Rest of all command need to be type as root user. Become root user:
$ sudo -i

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:
# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:
# cd /etc/lighttpd/ssl/cyberciti.biz/
# openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:

Generating DSA parameters, 4096 bit long prime
.....+..............+......+.+..........+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
+....................................+............+..........................+.+.....+.+.....+...........+..........+........+...+..+...+..+............+......+.....+....+......+......................................+..+.....+.+............+....+.+.+..+........+...+.............+..+........+++++++++++++++++++++++++++++++++++++++++++++++++++*

Step 6 – Issue a certificate for your domain

The syntax is:
acme.sh --issue -w /server.document-root-path/ -d www.example.com
acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:
# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096
Sample outputs:

Fig.04: Issue a certificate
Fig.04: Issue a certificate

Step 7 – Enable ssl for Lighttpd

Type the following command:
# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "0.0.0.0:443" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
 
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
 
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
 
	    ssl.use-compression     = "disable"
 
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    )
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"
	    )
	}

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:
# vi /root/.acme.sh/www.cyberciti.biz/hook.sh
Append the following script:

#!/bin/bash
dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
 
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:
# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh
Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:
# acme.sh --installcert -d www.cyberciti.biz \
--capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
--reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh'

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443
# netstat -tulpn | grep ':443'
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:
# ufw allow proto tcp from any to 74.86.26.69 port 443
Type the following url in your browser:
https://www.cyberciti.biz

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

4 comment

  1. I had a setup pretty much the same as this one and it was working fine, however, I decided to drop Lighttpd completely and go back to the old good Apache. Lighttpd looks nice but this days is more like those shiny overrated things that don’t do much and make your life harder. Apache is much more flexible starting with .htaccess files and if properly configured has about the same performance.

  2. Excellent, thank you very much Vivek !!
    Working on Debian 8 with Virtual Host and redirecting everything to https.

Comments are closed.