I read your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04/18.04/20.04 LTS or Debian Linux 8.x/9.x/10.x server? How can I configure Lighttpd with Let’s Encrypt free TLS/SSL certificate?

Let’s Encrypt is a free, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score.

Our sample set up Lighttpd with Let’s Encrypt

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Ubuntu/Debian Linux default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • The Lighttpd DocumentRoot (root) path : /var/www/html/
  • TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP:

Let us see how to set up Lighttpd with Let’s Encrypt on Linux.

Step 1 – Install acme.sh client

Type the following apt-get command/apt command:
$ sudo apt-get install git bc wget curl
Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux to set up Lighttpd with Let’s Encrypt

Fig.02: Install git and bc on Ubuntu/Debian Linux

Step 2 – Clone repo

Type the following commands:
$ cd /tmp
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# cd /tmp/acme.sh/
# ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git

Fig.03: Clone the acme.sh client using git

Rest of all command need to be type as root user. Become root user:
$ sudo -i

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:
# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Set up/Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:
# cd /etc/lighttpd/ssl/cyberciti.biz/
# openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:

Generating DSA parameters, 4096 bit long prime

Step 6 – Issue a certificate for your domain

The syntax is:
acme.sh --issue -w /server.document-root-path/ -d www.example.com
acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:
# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096
Sample outputs:

Fig.04: Issue a certificate

Fig.04: Issue a certificate

Step 7 – Enable ssl for Lighttpd

Type the following command:
# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
	    ssl.use-compression     = "disable"
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"

The following config only supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1:

    # Only supports TLS 1.3 and no support for SSL 2/3 or TLS v/1.1/1.2
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2")
    ssl.cipher-list           = ""
    ssl.honor-cipher-order    = "disable"

The following config supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9:

    # General-purpose servers with a variety of clients
    # All SSL suport disabled including TLS 1 and 1.1
    # Only supports TLS 1.2 and 1.3
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.honor-cipher-order    = "disable"

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:
# vi /root/.acme.sh/www.cyberciti.biz/hook.sh
Append the following script:

dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:
# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh
Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:
# acme.sh --installcert -d www.cyberciti.biz \
--capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
--reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh'

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443
# netstat -tulpn | grep ':443'
tcp 0 0* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:
# ufw allow proto tcp from any to port 443
Type the following url in your browser:

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). Hence, we can list it using the crontab command as follows:
$ sudo crontab -l
Sample cron job:

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Congurations! You just installed and set up Lighttpd with Let’s Encrypt on your cloud VM powered by Linux operating systems.


In this tutorial, you learned how to install, configure, and set up Lighttpd with Let’s Encrypt free TLS/SSL certificate to secure traffic running on a Debian or Ubuntu Linux cloud server. See Lighttpd project site here for more info.

This entry is 2 of 13 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. Set up Lets Encrypt on Debian/Ubuntu Linux
  2. Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
  3. Configure Nginx with Lets Encrypt certificate on Alpine Linux
  4. Nginx with Lets Encrypt on CentOS 7
  5. Apache with Lets Encrypt Certificates on RHEL 8
  6. CentOS 8 and Apache with Lets Encrypt Certificates
  7. Install Lets Encrypt certificates on CentOS 8 for Nginx
  8. Forcefully renew Let's Encrypt certificate
  9. OpenSUSE Linux and Nginx with Let's Encrypt Certificates
  10. Configure Nginx to use TLS 1.2 / 1.3 only
  11. Let's Encrypt wildcard certificate with acme.sh and Cloudflare DNS
  12. Nginx with Let's Encrypt on Ubuntu 18.04 with DNS Validation
  13. AWS Route 53 Let's Encrypt wildcard certificate with acme.sh

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • p3g Mar 23, 2017 @ 4:23

    Thanks Vivek. I used this on my Amazon Lightsail server.

  • Gary Apr 4, 2017 @ 6:42

    Thank you for another excellent tutorial! I could never have gotten through this on my own.

  • zenbaki Jun 12, 2017 @ 8:37

    Excellent, thank you very much Vivek !!
    Working on Debian 8 with Virtual Host and redirecting everything to https.

  • TCB13 Jun 13, 2017 @ 7:22

    I had a setup pretty much the same as this one and it was working fine, however, I decided to drop Lighttpd completely and go back to the old good Apache. Lighttpd looks nice but this days is more like those shiny overrated things that don’t do much and make your life harder. Apache is much more flexible starting with .htaccess files and if properly configured has about the same performance.

  • Bryan Jul 18, 2020 @ 7:48

    Got a free TLS for my Lighttpd running on Debian server. Thank Vivek!

  • walter Dec 24, 2020 @ 20:11

    How much would this procedure change if I use an SSL cert I bought from namecheap?

    • 🐧 Vivek Gite Dec 25, 2020 @ 3:49

      It would reduce by 50% as you don’t have to download and type acme.sh commands. The only thing is to follow the config option, as you will get certificates from NameCheap.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum