Secure Web Connection with Lighttpd + Let’s Encrypt = A+ score on ssllabs (HTTPS + HSTS)

Lighttpd + Let’s Encrypt + This HOWTO = A+ score on ssllabs (HTTPS + HSTS)
My A+ report:
ssllabs A+ rating for


sudo apt install letsencrypt openssl
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Create /etc/lighttpd/conf-available/99-letsencrypt.conf
Enable config and restart Lighttpd
sudo letsencrypt certonly --webroot -w /var/www/ -d [YOUR_DOMAIN_NAME]
Merge /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem
Edit /etc/lighttpd/conf-available/10-ssl.conf
Enable config and restart Lighttpd
Edit /etc/crontab

What is HTTPS 1



SSL and TLS 3


  • letsencrypt 4
  • openssl
  • lighttpd

sudo apt install lighttpd letsencrypt openssl


Prepare Information

Settle Files

1. Enhance DH Key Exchange parameters

/etc/ssl/certs/dhparam.pem sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

2. Let's Encrypt authentication URL


alias.url += (
    "/.well-known/acme-challenge/" => "/var/www/.well-known/acme-challenge/"

Enable it sudo lighty-enable-mod letsencrypt sudo service lighttpd restart

3. Obtain certs

Remeber to replace [YOUR_DOMAIN_NAME] to your domain name. sudo letsencrypt certonly --webroot -w /var/www/ -d [YOUR_DOMAIN_NAME] Follow it's instructions, type in your email and accept agreement.
If you want to apply for multiple domain, just append more -d after the original command.

4. Prepare PEM for Lighttpd

cat /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/privkey.pem \
/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/cert.pem \
> /etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem

5. Update Lighttpd config


server.modules += ("mod_setenv")      # For HSTS

$SERVER["socket"] == "" {
    ssl.engine  = "enable"

    ssl.pemfile = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/combined.pem" = "/etc/letsencrypt/live/[YOUR_DOMAIN_NAME]/fullchain.pem"
    ssl.dh-file = "/etc/ssl/certs/dhparam.pem" = "secp384r1"
    ssl.honor-cipher-order = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.use-compression     = "disable"
    setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
        "X-Frame-Options" => "SAMEORIGIN",
        "X-Content-Type-Options" => "nosniff"
    setenv.add-environment = (
        "HTTPS" => "on"

If you have IPv6, also append the following config at the button of /etc/lighttpd/conf-available/10-ssl.conf

$SERVER["socket"] == "[::]:443" {   # For IPv6
    # ...Same setting as above...

Enable it sudo lighty-enable-mod ssl sudo service lighttpd restart

5. Setup auto-renew



letsencrypt renew \
&& cat /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/privkey.pem /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/cert.pem > /etc/letsencrypt/live/$YOUR_DOMAIN_NAME/combined.pem \
&& service lighttpd reload

Append cron setting in /etc/crontab

0 4     * * 6   root    /usr/local/bin/

Confirm and Enjoy

Go check your site.

Hope this HOWTO can save a tree and a kitten.


Corner Case

Different cert for specific domain (virtual host)

If you want to use different cert files for specific domain, just create a new .conf in /etc/lighttpd/conf-available/, and enable it with lighty-enable-mod.

$HTTP["host"] == "[YOUR_DOMAIN_NAME]" {
    server.document-root = [YOUR_SITE_CONTENT_FOLDER]
    # ...Same setting as above...

Proxy All except .well-known

If you're proxying all requests for a domain, you need this to exclude .well-known path.

$HTTP["host"] == "" {
        alias.url += (
                "/.well-known/acme-challenge/" => "/var/www/.well-known/acme-challenge/"
        $HTTP["url"] !~ "^/.well-known/acme-challenge/" {
                proxy.balance = "hash"
                proxy.server  = ( "" => (
                        ( "host" => "", "port" => "8080" ),
                ) )



  1. ↩︎ ↩︎

  2. ↩︎

  3. ↩︎

  4. ↩︎



I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
rpa training in chennai


I simply wanted to thank you so much again. I am not sure the things that I might have gone through without the type of hints revealed by you regarding that situation.
Best Aws training Institute in chennai

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

Thanks a lot very much for the high quality and results-oriented help. I won’t think twice to endorse your blog post to anybody who wants and needs support about this area.

Thanks for sharing useful information. it's an really informative article
software certification training courses

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.