How to secure Lighttpd with Let’s Encrypt TLS/SSL certificate on Debian/Ubuntu

In Debian or Ubuntu, you can secure a Lighttpd web server with a Let’s Encrypt TLS/SSL certificate using the certbot tool. Here are the steps you can follow:

1. Start by installing certbot by running the following command:

2. Next, you will need to stop the Lighttpd service by running the following command:

3. Run the certbot command to obtain a certificate for your domain

Replace example.com with your domain name.

4. The above command will create a certificate for example.com
5. You will find the cert files in /etc/letsencrypt/live/example.com directory.
6. You need to configure Lighttpd to use the cert files. Edit the lighttpd.conf file and add the following lines to the server.pemfile and server.privkey settings:

7. Add the following line to the server.modules setting to enable SSL:

8. Add the following line to the server.modules setting to enable HSTS:

9. Then add the following line to the $HTTP[“scheme”] == “https” section:

10. Finally, start the Lighttpd service by running the following command:

It’s important to keep in mind that the certbot tool is a third-party tool, and that it may not always work correctly or may be updated in a way that breaks compatibility with your system.

Also, certbot has the functionality to automatically renew the certificate before it expires, you can set up a cron job to run the renew command periodically.

It’s also important to note that the certbot tool uses the webroot plugin to verify domain control, this means that certbot will write a file to the webroot directory of your domain.

You should also check the configuration of your firewall to make sure that it allows incoming traffic to port 443, the default port for HTTPS.