Secure Web Connection with Lighttpd + Let’s Encrypt = A+ score on ssllabs (HTTPS + HSTS)

Lighttpd + Let’s Encrypt + This HOWTO = A+ score on ssllabs (HTTPS + HSTS)
My A+ report:
ssllabs A+ rating for


sudo apt install letsencrypt openssl
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Create /etc/lighttpd/conf-available/99-letsencrypt.conf
Enable config and restart Lighttpd
sudo letsencrypt certonly --webroot -w /var/www/ -d [YOUR_DOMAIN_NAME]
Merge /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem
Edit /etc/lighttpd/conf-available/10-ssl.conf
Enable config and restart Lighttpd
Edit /etc/crontab

What is HTTPS 1



SSL and TLS 3


  • letsencrypt 4
  • openssl
  • lighttpd

sudo apt install lighttpd letsencrypt openssl


Prepare Information

Settle Files

1. Enhance DH Key Exchange parameters

/etc/ssl/certs/dhparam.pem sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

2. Let's Encrypt authentication URL


alias.url += (
    "/.well-known/acme-challenge/" => "/var/www/.well-known/acme-challenge/"

Enable it sudo lighty-enable-mod letsencrypt sudo service lighttpd restart

3. Obtain certs

Remeber to replace [YOUR_DOMAIN_NAME] to your domain name. sudo letsencrypt certonly --webroot -w /var/www/ -d [YOUR_DOMAIN_NAME] Follow it's instructions, type in your email and accept agreement.
If you want to apply for multiple domain, just append more -d after the original command.

4. Prepare PEM for Lighttpd

cat /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/privkey.pem \
/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/cert.pem \
> /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem

5. Update Lighttpd config


server.modules += ("mod_setenv")      # For HSTS

$SERVER["socket"] == "" {
    ssl.engine  = "enable"

    ssl.pemfile = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem" = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/fullchain.pem"
    ssl.dh-file = "/etc/ssl/certs/dhparam.pem" = "secp384r1"
    ssl.honor-cipher-order = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.use-compression     = "disable"
    setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
        "X-Frame-Options" => "SAMEORIGIN",
        "X-Content-Type-Options" => "nosniff"
    setenv.add-environment = (
        "HTTPS" => "on"

If you have IPv6, also append the following config at the button of /etc/lighttpd/conf-available/10-ssl.conf

$SERVER["socket"] == "[::]:443" {   # For IPv6
    # ...Same setting as above...

Enable it sudo lighty-enable-mod ssl sudo service lighttpd restart

5. Setup auto-renew



letsencrypt renew \
&& cat /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/privkey.pem /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/cert.pem > /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/combined.pem \
&& service lighttpd reload

Append cron setting in /etc/crontab

0 4     * * 6   root    /usr/local/bin/

Confirm and Enjoy

Go check your site.

Hope this HOWTO can save a tree and a kitten.


Corner Case

Different cert for specific domain (virtual host)

If you want to use different cert files for specific domain, just create a new .conf in /etc/lighttpd/conf-available/, and enable it with lighty-enable-mod.

$HTTP["host"] == "[YOUR_DOMAIN_NAME]" {
    server.document-root = [YOUR_SITE_CONTENT_FOLDER]
    # ...Same setting as above...

Proxy All except .well-known

If you're proxying all requests for a domain, you need this to exclude .well-known path.

$HTTP["host"] == "" {
        alias.url += (
                "/.well-known/acme-challenge/" => "/var/www/.well-known/acme-challenge/"
        $HTTP["url"] !~ "^/.well-known/acme-challenge/" {
                proxy.balance = "hash"
                proxy.server  = ( "" => (
                        ( "host" => "", "port" => "8080" ),
                ) )



  1. ↩︎ ↩︎

  2. ↩︎

  3. ↩︎

  4. ↩︎



I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
rpa training in chennai


I simply wanted to thank you so much again. I am not sure the things that I might have gone through without the type of hints revealed by you regarding that situation.
Best Aws training Institute in chennai

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

Thanks a lot very much for the high quality and results-oriented help. I won’t think twice to endorse your blog post to anybody who wants and needs support about this area.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.