How To Lighttpd Create Self Signed SSL Certificates

Lighttpd logo

If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.

Procedure is as follows:

Step # 1: Create self signed SSL Certificates

Create a directory to store SSL certificate:

# mkdir /etc/lighttpd/ssl/ -p
# cd /etc/lighttpd/ssl/
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/

You need to provide information such as country name, your domain name etc.

Step # 2: Configure Lighttpd

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "" {
server.document-root = "/home/lighttpd/"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/"

Make sure you replace ip with your actual IP address.

Step # 3: Restart Lighttpd

Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart

Make sure port 443 is open
# netstat -tulpn | grep :443

Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Redirect plain text login page to secure login page

Let us assume you would like to redirect all incoming wordpress requests request to
Add following code snippet to your lighttpd.conf file’s port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "$1" )

You may need to modify your login page to submit form over SSL.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 9 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
9 comments… add one
  • Matt Dec 24, 2006 @ 9:00


    ssl.pemfile = “/etc/lighttpd/ssl/”

    Otherwise lighttpd will try to open the directory as the key file and will fail with
    SSL: Private key does not match the certificate public key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line

  • 🐧 nixCraft Dec 24, 2006 @ 10:28


    Thanks for heads up!

    To avoid confusion, example has been modified.

  • radeone Apr 22, 2007 @ 10:45

    the certificate pops up as if it owned by . how do you fix that

  • DanielS Sep 5, 2008 @ 7:42

    What a wounderful post! It’s been a little tough finding a good, simple, but effective site to help me get https connections working on my lighttpd setup!

    Many Thanks! This post helped ALOT!

  • sameera Sep 5, 2008 @ 11:34

    Please help

    I’m still getting the following error in FF,

    The connection was interrupted….

    and i couldn’t do the following line,

    chown lighttpd:lighttpd /etc/lighttpd/ssl -R

    it says “invalid user”

    I’m trying to implement ssl over my ruby app.

    please help and thank you for the great post

    — sameera

  • Paul Nov 30, 2008 @ 11:36


    Thanks for the tutorial!

    I discovered that the key generation command asked for information but gave fairly misleading guidance which led to some confusion.

    The important one was this prompt:
    -> Common Name (eg, YOUR name) []:

    This actually needs to be the exact hostname ie “” of the server you’re generating the key for. You’d be forgiven for thinking otherwise!

    Info from

    I wonder if you could update the HOWTO to clarify this point?



  • zman May 2, 2010 @ 15:09

    Thanks for the tutorial, but lighttpd with openssl produce error:
    (network.c.601) SSL: failed to initialize TLS servername callback, openssl library does not support TLS servername extension

    freebsd 7.3

  • PJ May 17, 2012 @ 13:17

    Really helpful guides for lighttpd. I got up and running in no time. Thanks a lot!

  • JAY Jan 4, 2014 @ 20:49

    Worked great for me first time. Not one issue. Great instructions.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum