How to secure Lighttpd with Let’s Encrypt TLS/SSL certificate on Debian/Ubuntu

I read your Nginx and Let’s Encrypt free SSL certificate tutorial. However, I use Lighttpd web server on AWS cloud. How do I secure my Lighttpd web server with Let’s Encrypt free SSL certificate on my Ubuntu Linux 16.04/18.04/20.04 LTS or Debian Linux 8.x/9.x/10.x server? How can I configure Lighttpd with Let’s Encrypt free TLS/SSL certificate?

Let’s Encrypt is a free, and open certificate authority for your website or any other projects. You can grab free TLS/SSL certificate to create encrypted HTTPS session for your site visitors. In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Lighttpd web server along with how to properly deploy Diffie-Hellman on your Lighttpd server to get SSL labs A+ score.

Our sample set up Lighttpd with Let’s Encrypt

Fig.01: Our sample Lighttpd TLS/SSL Security with Let’s Encrypt on Debian or Ubuntu Linux

  • Default Lighttpd config file : /etc/lighttpd/lighttpd.conf
  • Ubuntu/Debian Linux default Lighttpd SSL config file : /etc/lighttpd/conf-enabled/10-ssl.conf
  • Lighttpd SSL certification directory : /etc/lighttpd/ssl/cyberciti.biz/
  • The Lighttpd DocumentRoot (root) path : /var/www/html/
  • TLS/SSL Port: 443
  • Our sample domain: www.cyberciti.biz
  • Dedicated public IP: 74.86.26.69

Let us see how to set up Lighttpd with Let’s Encrypt on Linux.

Step 1 – Install acme.sh client

Type the following apt-get command/apt command:
$ sudo apt-get install git bc wget curl
Sample outputs:

Fig.02: Install git and bc on Ubuntu/Debian Linux

Step 2 – Clone repo

Type the following commands:
$ cd /tmp
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# cd /tmp/acme.sh/
# ./acme.sh --install

Sample outputs:

Fig.03: Clone the acme.sh client using git

Rest of all command need to be type as root user. Become root user:
$ sudo -i

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual server.document-root path as per your setup):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Create directory to store SSL certificate

Type the following mkdir command:
# mkdir -p /etc/lighttpd/ssl/cyberciti.biz/

Step 5 – Set up/Create your dhparam.pem file

Type the following command to create a strong Diffie-Hellman (DH) group file:
# cd /etc/lighttpd/ssl/cyberciti.biz/
# openssl dhparam -out dhparam.pem -dsaparam 4096

Sample outputs:

Generating DSA parameters, 4096 bit long prime
.....+..............+......+.+..........+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
+....................................+............+..........................+.+.....+.+.....+...........+..........+........+...+..+...+..+............+......+.....+....+......+......................................+..+.....+.+............+....+.+.+..+........+...+.............+..+........+++++++++++++++++++++++++++++++++++++++++++++++++++*

Step 6 – Issue a certificate for your domain

The syntax is:
acme.sh --issue -w /server.document-root-path/ -d www.example.com
acme.sh --issue -w /var/www/html/ -d example.com -k 2048

To issue a certificate for www.cyberciti.biz, enter:
# acme.sh --issue -w /var/www/html -d www.cyberciti.biz -k 4096
Sample outputs:

Fig.04: Issue a certificate

Step 7 – Enable ssl for Lighttpd

Type the following command:
# lighttpd-enable-mod ssl
Enabling ssl: ok
Run /etc/init.d/lighttpd force-reload to enable changes

Step 8 – Lighttpd SSL Configuration

Edit the file /etc/lighttpd/conf-enabled/10-ssl.conf, enter:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
Update it as follows:

# turn on ssl #
	$SERVER["socket"] == "0.0.0.0:443" {
	    ssl.engine   = "enable"
	    ssl.disable-client-renegotiation = "enable"
 
	    ssl.pemfile               = "/etc/lighttpd/ssl/cyberciti.biz/ssl.pem"
	    ssl.ca-file               = "/etc/lighttpd/ssl/cyberciti.biz/ca.cer"
	    ssl.dh-file               = "/etc/lighttpd/ssl/cyberciti.biz/dhparam.pem"
 
	    # ECDH/ECDHE ciphers curve strength 
	    ssl.ec-curve              = "secp384r1"
 
	    ssl.use-compression     = "disable"
 
	    # Environment flag for HTTPS enabled
	    setenv.add-environment = (
	        "HTTPS" => "on"
	    )
 
	    ssl.use-sslv2 = "disable"
	    ssl.use-sslv3 = "disable"
	    ssl.honor-cipher-order    = "enable"
  	    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
 
	    # HSTS(15768000 seconds = 6 months)
	    setenv.add-response-header  = (
	        "Strict-Transport-Security" => "max-age=15768000;"
	    )
	}

The following config only supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1:

    # Only supports TLS 1.3 and no support for SSL 2/3 or TLS v/1.1/1.2
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2")
    ssl.cipher-list           = ""
    ssl.honor-cipher-order    = "disable"

The following config supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9:

    # General-purpose servers with a variety of clients
    # All SSL suport disabled including TLS 1 and 1.1
    # Only supports TLS 1.2 and 1.3
    ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
    ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
    ssl.honor-cipher-order    = "disable"

Save and close the file.

Step 9 – Install the issued certificate for Lighttpd web server

First create a hook for lighttpd ssl.pem file as follows:
# vi /root/.acme.sh/www.cyberciti.biz/hook.sh
Append the following script:

#!/bin/bash
dom="www.cyberciti.biz"                   #your domain name 
dest="/etc/lighttpd/ssl/cyberciti.biz"    #lighttpd ssl path root
croot="/root/.acme.sh/${dom}"             #acme.sh root path for your domain
 
### NO edit below ###
sslfile="${dest}/ssl.pem"                  #lighttpd .pem file path
certfile="${croot}/${dom}.cer"             #lighttpd certficate file path        
keyfile="${croot}/${dom}.key"              #lighttpd key file path 
 
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd

Save and close the file. Set executable permissions:
# chmod +x /root/.acme.sh/www.cyberciti.biz/hook.sh
Above script will create a file named /etc/lighttpd/ssl/cyberciti.biz/ssl.pem (ssl.pem =cert+privkey). Type the following command to install certificate and restart the lighttpd web server:
# acme.sh --installcert -d www.cyberciti.biz \
--capath /etc/lighttpd/ssl/cyberciti.biz/ca.cer \
--reloadcmd '/root/.acme.sh/www.cyberciti.biz/hook.sh'

Sample outputs:

Sun Mar 12 19:51:30 UTC 2017] Installing CA to:/etc/lighttpd/ssl/cyberciti.biz/ca.cer
[Sun Mar 12 19:51:30 UTC 2017] Run reload cmd: /root/.acme.sh/www.cyberciti.biz/hook.sh
Running lighttpd cmd...
[Sun Mar 12 19:51:30 UTC 2017] Reload success

Step 10 – Test it

Verify that lighttpd running on port 443
# netstat -tulpn | grep ':443'
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd

Step 11 – Open port 443 using ufw firewall

Type the following ufw command to open port 443:
# ufw allow proto tcp from any to 74.86.26.69 port 443
Type the following url in your browser:
https://www.cyberciti.biz

How do I renew a certificate?

# acme.sh --renew -d www.cyberciti.biz

How do I upgrade acme.sh client?

# acme.sh --upgrade

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). Hence, we can list it using the crontab command as follows:
$ sudo crontab -l
Sample cron job:

33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Congurations! You just installed and set up Lighttpd with Let’s Encrypt on your cloud VM powered by Linux operating systems.

Conclusion

In this tutorial, you learned how to install, configure, and set up Lighttpd with Let’s Encrypt free TLS/SSL certificate to secure traffic running on a Debian or Ubuntu Linux cloud server. See Lighttpd project site here for more info.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • p3g Mar 23, 2017 @ 4:23

    Thanks Vivek. I used this on my Amazon Lightsail server.

  • Gary Apr 4, 2017 @ 6:42

    Thank you for another excellent tutorial! I could never have gotten through this on my own.

  • zenbaki Jun 12, 2017 @ 8:37

    Excellent, thank you very much Vivek !!
    Working on Debian 8 with Virtual Host and redirecting everything to https.

  • TCB13 Jun 13, 2017 @ 7:22

    I had a setup pretty much the same as this one and it was working fine, however, I decided to drop Lighttpd completely and go back to the old good Apache. Lighttpd looks nice but this days is more like those shiny overrated things that don’t do much and make your life harder. Apache is much more flexible starting with .htaccess files and if properly configured has about the same performance.

  • Bryan Jul 18, 2020 @ 7:48

    Got a free TLS for my Lighttpd running on Debian server. Thank Vivek!

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.