Setting Up Let’s Encrypt with Lighttpd and Automatic Certificate Renewal

This is just a quick and dirty post to show you how to setup Let’s Encrypt with Lighttpd and configure automatic certificate renewal on Ubuntu Server 16.04 LTS (but I’m pretty sure the commands below will work for all Debian based systems).


First, let’s obtain the latest version of the Let’s Encrypt client from their github repo:

sudo git clone /opt/letsencrypt
cd /opt/letsencrypt

Now, let’s request a certificate for the first time. Change the paths & domainname in the command below as necessary. Follow the on-screen prompts:

./letsencrypt-auto certonly --webroot -w /var/www/ -d -d

This command will obtain a single certificate for and; it will place temporary ‘challenge’ files in /var/www/ to prove to Let’s Encrypt that you’re the owner of these two domains.

Lighttpd expects certs to be combined, so we need to concatonate them before we can configure it.
Remember to replace your domain in the path (note: this is in /etc/letsencrypt and not your webroot!).

cd /etc/letsencrypt/live/
cat privkey.pem cert.pem > ssl.pem

Now, let’s setup Lighttpd to work with our SSL certificate. Edit your vhost config or lighttpd.conf and add the following, changing the paths as necessary.

nano /etc/lighttpd/lighttpd.conf

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/" =  "/etc/letsencrypt/live/"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"

Reload lighttpd to activate the certificate using the following command:

/etc/init.d/lighttpd reload

Congratulations! Your website should now have a valid SSL certificate in place :) You can check this by visiting your website over HTTPS and look for the green padlock.


This is optional but if you’d like to force encryption, add a this redirect to your vhost config or lighttpd.conf:

nano /etc/lighttpd/lighttpd.conf
$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ "" {
                url.redirect = ( "^/(.*)" => "$1" )


For automatic renewal, schedule the following bash script using cron. This sets the script to run on a weekly basis.

touch /etc/cron.weekly/letsencrypt
chmod +x /etc/cron.weekly/letsencrypt
nano /etc/cron.weekly/letsencrypt

Add this to the text file you just created:


# Automatically Renew Letsencrypt Certs
# Edit webroot-path with your www folder location
/opt/letsencrypt/letsencrypt-auto renew --webroot --webroot-path /var/www/

# Rebuild the cert
# Edit folder location to your domainname
cd /etc/letsencrypt/live/
cat privkey.pem cert.pem > ssl.pem

# Reload lighttpd
/etc/init.d/lighttpd reload

That’s all folks! Your webserver should now have a valid SSL certificate in place and it’ll automatically be renewed when it’s almost due to expire!
For more information, visit this excellent documentation from Let’s Encrypt:
Comments or suggestions? Let me know in the comments!

4 thoughts on “Setting Up Let’s Encrypt with Lighttpd and Automatic Certificate Renewal

  1. Great tutorial, thank you very much !!!

    I use this in combination with a free DNS service provider (, which forwards requests to the IP address of my home server.

    For the weekly cron-job (/etc/cron.weekly/letsencrypt):
    I just restart the server (/etc/init.d/lighttpd restart) to avoid a reload error

    1. Thanks for your comment.

      Yes, a Dynamic DNS (or DDNS) provider such as or allows you to use a hostname/’domainname’ in combination with a dynamic IP.

      However, please do note that a server restart will cause (a brief moment of) downtime, whereas a reload does not.

Leave a Reply

Your email address will not be published. Required fields are marked *