Setup Let's Encrypt With Lighttpd on Ubuntu 16.04

Introduction

Let’s Encrypt is a Certificate Authority (CA) that issues free SSL/TLS certificates. Lighttpd is a lightweight webserver that runs on low resources. Let’s Encrypt SSL certificates can easily be installed on a Lighttpd server using Certbot, a software client that automates most of the process of obtaining the certificates.

Prerequistes

This tutorial assumes that you have already created a Vultr Cloud Compute instance with Lighttpd installed on Ubuntu 16.04, have a domain name pointing to your server, and have logged in as root.

Step One: Install Certbot

The first step is to install Certbot. Add the Certbot repository. Press Enter when prompted for confirmation.

add-apt-repository ppa:certbot/certbot

Install Certbot.

apt-get update
apt-get install certbot

Step Two: Obtain SSL Certificate

Once Certbot is installed, you can obtain an SSL certificate. Run the following command, replacing example.com with your own domain name:

certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

Continue through the interactive installer.

Step Three: Setup Certificate Files for use with Lighttpd

Certbot will place the obtained certificate files in /etc/letsencrypt/live/example.com. You will need to grant the Lighttpd user access to this directory.

chown :www-data /etc/letsencrypt
chown :www-data /etc/letsencrypt/live
chmod g+x /etc/letsencrypt
chmod g+x /etc/letsencrypt/live

Lighttpd requires the certificate and private key to be in a single file. You will need to combine the two files. Run the following command, replacing example.com with your own domain name.

cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem > /etc/letsencrypt/live/example.com/merged.pem

The privkey.pem and cert.pem files will be combined and saved as merged.pem.

Step Four: Configure Lighttpd

Once your certificate files are ready, you can go on and configure Lighttpd to use the SSL certificate. Open the Lighttpd configuration file for editing.

nano /etc/lighttpd/lighttpd.conf

Add the following block at the end of the file, replacing example.com with your own domain name,

$SERVER["socket"] == ":443" {
    ssl.engine              = "enable"
    ssl.ca-file             = "/etc/letsencrypt/live/example.com/chain.pem"
    ssl.pemfile             = "/etc/letsencrypt/live/example.com/merged.pem"
}

Step Five: Force SSL Usage

For added security, you can force your Lighttpd server to route all HTTP requests to HTTPS. Open the lighttpd.conf file for editing.

nano /etc/lighttpd/lighttpd.conf

Add the following block at the end of the file,

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

You will need to restart the Lighttpd sever for the changes to take effect.

systemctl restart lighttpd

Renewing the SSL Certificate

Let's Encrypt issues SSL certificates with a validity of 90 days. You will need to renew your certificate before it expires to avoid certificate errors. You can renew the certificate with Certbot.

certbot renew

You will need to combine the certificate and private key for Lighttpd. Run the following command, replacing example.com with your domain name.

cat /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/cert.pem     > /etc/letsencrypt/live/example.com/merged.pem

Your certificate will renewed for another 90 days.