Lighttpd usable chained file

As to read in the lighttpd docs lighttpd needs a file that contains the privkey.pem and the fullchain.pem (or chain.pem) as “pemfile”. So it would be nice if something like that would be in /etc/letsencrypt/live/…


I have figured out how to get lets encrypt to work with lighttpd. Here’s my redacted cron job that I run once a month:

#! /usr/bin/env bash

cd <letsencrypt folder>

# Stop lighttpd as it is listening on 443 local host and that trips up letsencrypt
/etc/init.d/lighttpd stop

# Stop any other services running on port 80 or 443, even localhost

# Temporarily open port 80 (only necessary if you have iptables blocking port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Delete letsencrypt config (to prevent the tool from prompting about replacement):
rm -f /etc/letsencrypt/renewal/*.conf >/dev/null 2>&1

# Generate certs
./letsencrypt-auto certonly --standalone --email [your email] --agree-tos -d [domain one] #-d

# Close port 80 (Again you may not want or need this)
iptables -D INPUT -p tcp --dport 80 -j ACCEPT

# The following steps assume one domain, you would need to repeat it for each domain if multiple
cd /etc/letsencrypt/live/[your first domain]/

# Next steps required because lighttpd requires combined private key and cert
mv cert.pem cert_only.pem
ls | while read line; do mv "$line" "[domain name]_$line"; done    

echo -e "$(cat [domain name]_privkey.pem)\n$(cat [domain name]_cert_only.pem)" > [domain name]_cert.pem

# Move certs to lighttpd directory
cp * /etc/lighttpd/

# Restart lighttpd
/etc/init.d/lighttpd start

# Restart other services that you killed

Here’s the relevant parts of my lighttpd.conf file:

$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/[domain name]_cert.pem" = "/etc/lighttpd/[domain name]_chain.pem" = "[server name]"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.use-compression = "disable"
    ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS"
    ssl.honor-cipher-order = "enable"

Thank you for this quiet comprehensive lighttpd solution. I planned to post something similar in the next days.

My feature request is actually more or less superfluous since with lighttpd one has to script anyway (at least to stop and start lighttpd).

For the sake of completeness (basically same same different for a CentOS system) my version with all the tricks I know:



systemctl stop lighttpd.service

# details in $le_dir/cli.ini
/root/git/letsencrypt/letsencrypt-auto certonly

cat $le_dir/privkey.pem $le_dir/cert.pem > $lighttpd_dir/$dom.pem
cat $le_dir/fullchain.pem > $lighttpd_dir/$

systemctl start lighttpd.service

In my lighttd.conf:

$SERVER["socket"] == ":443" {
   ssl.engine                  = "enable"
   ssl.pemfile                 = "/etc/lighttpd/ssl/my.domain.pem"                 = "/etc/lighttpd/ssl/"
   ssl.use-compression         = "disable"
   ssl.honor-cipher-order      = "enable"
   ssl.use-sslv2               = "disable"
   ssl.use-sslv3               = "disable"
   ssl.dh-file                 = "/etc/lighttpd/ssl/dhparam.pem" # generated by `openssl dhparam -out dhparam.pem 4096`                = "secp384r1"


rsa-key-size = 4096
server =
email = nospam@my.domain
text = True
authenticator = standalone
agree-tos = True
renew-by-default = True
domains = my.domain,,,
1 Like

Hi all,

I tried to come up with some more checks, to verifying that the created pem file is actually valid.
Currently missing is a loop to better handle the return codes and potentially roll-back the keys.

# renew certificates
/root/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini

#create lighttpd pem file
cat /etc/letsencrypt/live/<domain>/privkey.pem /etc/letsencrypt/live/<domain>/cert.pem > /etc/letsencrypt/live/<domain>/ssl.pem

#validate, that new pem contains valid priv key
openssl rsa  -in /etc/letsencrypt/live/<domain>/ssl.pem -check   -noout
rc=$?; if [[ $rc != 0 ]]; then exit $rc; fi

#validate that new pem contains valid certificates
openssl x509 -in /etc/letsencrypt/live/<domain>/ssl.pem -subject -noout
rc=$?; if [[ $rc != 0 ]]; then exit $rc; fi

#restart service (debian)
service lighttpd reload
1 Like

Dear All,

I juste try to use your scripts, but got the following errors for my domains : Failed authorization procedure. (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found

I have to precise that is a CNAME alias to

Maybe somebody could help me ?

Many thanks in advance,
Best regards,