In Debian or Ubuntu, you can secure a Lighttpd web server with a Let’s Encrypt TLS/SSL certificate using the certbot tool. Here are the steps you can follow:
- Start by installing certbot by running the following command:
sudo apt-get install certbot -t stretch-backports
- Next, you will need to stop the Lighttpd service by running the following command:
sudo service lighttpd stop
- Run the certbot command to obtain a certificate for your domain
sudo certbot certonly --webroot -w /var/www/example.com -d example.com
Replace example.com
with your domain name.
- The above command will create a certificate for
example.com
- You will find the cert files in
/etc/letsencrypt/live/example.com
directory. - You need to configure Lighttpd to use the cert files. Edit the lighttpd.conf file and add the following lines to the server.pemfile and server.privkey settings:
ssl.pemfile = "/etc/letsencrypt/live/example.com/fullchain.pem"
ssl.privkey = "/etc/letsencrypt/live/example.com/privkey.pem"
- Add the following line to the server.modules setting to enable SSL:
"mod_openssl"
- Add the following line to the server.modules setting to enable HSTS:
"mod_setenv"
- Then add the following line to the $HTTP[“scheme”] == “https” section:
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000; includeSubDomains" )
- Finally, start the Lighttpd service by running the following command:
sudo service lighttpd start
It’s important to keep in mind that the certbot tool is a third-party tool, and that it may not always work correctly or may be updated in a way that breaks compatibility with your system.
Also, certbot has the functionality to automatically renew the certificate before it expires, you can set up a cron job to run the renew command periodically.
It’s also important to note that the certbot tool uses the webroot plugin to verify domain control, this means that certbot will write a file to the webroot directory of your domain.
You should also check the configuration of your firewall to make sure that it allows incoming traffic to port 443, the default port for HTTPS.