This article is outdated and may not work correctly for current operating systems or software.
Let’s Encrypt is a Certificate Authority (CA) that issues free SSL/TLS certificates. Lighttpd is a lightweight webserver that runs on low resources. Let’s Encrypt SSL certificates can easily be installed on a Lighttpd server using Certbot, a software client that automates most of the process of obtaining the certificates.
This tutorial assumes that you have already created a Vultr Cloud Compute instance with Lighttpd installed on Ubuntu 16.04, have a domain name pointing to your server, and have logged in as root.
The first step is to install Certbot. Add the Certbot repository. Press Enter when prompted for confirmation.
add-apt-repository ppa:certbot/certbot
Install Certbot.
apt-get update
apt-get install certbot
Once Certbot is installed, you can obtain an SSL certificate. Run the following command, replacing example.com with your own domain name:
certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com
Continue through the interactive installer.
Certbot will place the obtained certificate files in /etc/letsencrypt/live/example.com. You will need to grant the Lighttpd user access to this directory.
chown :www-data /etc/letsencrypt
chown :www-data /etc/letsencrypt/live
chmod g+x /etc/letsencrypt
chmod g+x /etc/letsencrypt/live
Lighttpd requires the certificate and private key to be in a single file. You will need to combine the two files. Run the following command, replacing example.com with your own domain name.
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/merged.pem
The privkey.pem and cert.pem files will be combined and saved as merged.pem.
Once your certificate files are ready, you can go on and configure Lighttpd to use the SSL certificate. Open the Lighttpd configuration file for editing.
nano /etc/lighttpd/lighttpd.conf
Add the following block at the end of the file, replacing example.com with your own domain name,
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/example.com/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/example.com/merged.pem"
}
For added security, you can force your Lighttpd server to route all HTTP requests to HTTPS. Open the lighttpd.conf file for editing.
nano /etc/lighttpd/lighttpd.conf
Add the following block at the end of the file,
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
You will need to restart the Lighttpd sever for the changes to take effect.
systemctl restart lighttpd
Let's Encrypt issues SSL certificates with a validity of 90 days. You will need to renew your certificate before it expires to avoid certificate errors. You can renew the certificate with Certbot.
certbot renew
You will need to combine the certificate and private key for Lighttpd. Run the following command, replacing example.com with your domain name.
cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/merged.pem
Your certificate will renewed for another 90 days.