bg-tutorials

How to Install an SSL certificate on lighttpd

In this tutorial, you will learn how to install an SSL certificate on Lighttpd. The guide covers the current configuration (separate certificate and private key with the mod_openssl module), the legacy combined-PEM method for older builds, and a quick configuration test before you restart.

We also recorded a video that walks you through the entire process. If you prefer the text version, keep reading below.

Generate a CSR code on Lighttpd

We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a block of encoded text you send to a Certificate Authority to apply for an SSL certificate. You have two options:

Open the CSR file with any text editor and copy its contents, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, into the corresponding box during the SSL order process. Submit the CSR to the Certificate Authority and wait for validation. After the CA issues your SSL certificate, continue with the installation below.

Install an SSL certificate on Lighttpd

Step 1: Prepare your certificate files

After validation, the Certificate Authority emails you the certificate files. Download the archive and extract it. You should have:

  • yourdomain.crt, your primary SSL certificate.
  • yourdomain.ca-bundle, the intermediate certificates (the CA bundle).
  • yourdomain.key, the private key you generated with the CSR.

Lighttpd recommends that the file referenced by ssl.pemfile contain the full certificate chain: your certificate first, followed by the intermediate certificates. Create that combined chain file, then move both it and the private key into a directory Lighttpd can read (for example /etc/lighttpd/ssl/):

cat yourdomain.crt yourdomain.ca-bundle > yourdomain.fullchain.pem
sudo mkdir -p /etc/lighttpd/ssl
sudo cp yourdomain.fullchain.pem yourdomain.key /etc/lighttpd/ssl/

Restrict the private key so only root can read it:

sudo chmod 600 /etc/lighttpd/ssl/yourdomain.key

Step 2: Enable mod_openssl

Since version 1.4.56, TLS support in Lighttpd lives in a loadable module called mod_openssl (other backends such as mod_mbedtls, mod_wolfssl, mod_gnutls, and mod_nss also exist). Load it in your main configuration file before the SSL socket block:

server.modules += ( "mod_openssl" )

Note: on Lighttpd 1.4.55 and earlier, TLS was compiled in rather than loaded as a module, so you can skip this line on those builds. Check your version with lighttpd -v.

Step 3: Edit lighttpd.conf

Open the main configuration file (the path is usually /etc/lighttpd/lighttpd.conf) with your preferred editor:

sudo nano /etc/lighttpd/lighttpd.conf

Add a socket block for port 443. On current Lighttpd (1.4.56+), keep the certificate chain and the private key in separate files: point ssl.pemfile at the full-chain file and ssl.privkey at the key. This is the format most Certificate Authorities deliver, and it is the configuration Lighttpd recommends.

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/yourdomain.fullchain.pem"
    ssl.privkey = "/etc/lighttpd/ssl/yourdomain.key"

    # Minimum TLS version (ssl-conf-cmd needs lighttpd 1.4.48+; TLS 1.2 is already the default on 1.4.56+)
    ssl.openssl.ssl-conf-cmd = ( "MinProtocol" => "TLSv1.2" )
}
  • ssl.engine turns on TLS for this socket.
  • ssl.pemfile holds your certificate followed by the intermediate chain.
  • ssl.privkey holds the private key. It is required since version 1.4.53 whenever the key is not inside the pemfile.

To redirect plain HTTP to HTTPS so visitors always reach the secure version, add a redirect for port 80 (this needs mod_redirect, which is loaded by default on most distributions):

$SERVER["socket"] == ":80" {
    url.redirect = ( "^/(.*)" => "https://yourdomain.com/$1" )
}

Save and close the file.

Legacy method: combined PEM and ssl.ca-file

Older Lighttpd 1.4.x builds (before 1.4.53) used a single combined PEM that contained both the certificate and the private key concatenated together, with the intermediate chain supplied separately through ssl.ca-file. If you are maintaining one of those older systems, build the combined file like this:

cat yourdomain.crt yourdomain.key > /etc/lighttpd/ssl/yourdomain.pem

Then reference it in the socket block:

$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/yourdomain.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/yourdomain.ca-bundle"
}

On current Lighttpd, prefer the separate ssl.pemfile and ssl.privkey form from Step 3 and keep the full chain in the pemfile. The ssl.ca-file directive was renamed ssl.verifyclient.ca-file in version 1.4.60, since its real purpose is verifying client certificates rather than serving the server chain.

Step 4: Test the configuration

Always check the syntax before restarting, because an error can stop the server from starting. Run:

sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf

You should see a message that the syntax is OK. For a deeper check that also loads and initializes the modules, use sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf. Fix any reported errors before continuing.

Step 5: Restart Lighttpd

Apply the changes. On a modern system with systemd, restart the service:

sudo systemctl restart lighttpd

On older systems that use SysV init, use the init script instead:

sudo /etc/init.d/lighttpd restart

Congratulations, your SSL certificate is now installed on Lighttpd. To confirm the result and get an instant status report, use our SSL Checker or browse our full set of SSL tools. For advanced options, see the official Lighttpd SSL documentation.

Frequently Asked Questions

Does Lighttpd use a combined PEM file or separate certificate and key files?

Current Lighttpd (1.4.56 and later) recommends separate files: the certificate plus its intermediate chain in the file named by ssl.pemfile, and the private key in ssl.privkey. The older combined PEM that concatenated the certificate and key into one ssl.pemfile still works, but the separate form matches how most Certificate Authorities deliver files and is the documented recommendation.

Do I still need ssl.ca-file for the intermediate chain?

No. The current recommendation is to include the intermediate certificates directly in the ssl.pemfile file, right after your certificate. The ssl.ca-file directive was a historical way to complete the chain when the pemfile held only the leaf certificate, and in version 1.4.60 it was renamed ssl.verifyclient.ca-file because its real role is client-certificate verification.

How do I check the configuration before restarting Lighttpd?

Run sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf to test the syntax, or sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf for a deeper test that also loads the modules. Fix any errors it reports before you restart, so a typo does not stop the server from starting.

Why does my browser show an incomplete certificate chain on Lighttpd?

This usually means the intermediate certificates are missing from your ssl.pemfile. Concatenate your certificate and the CA bundle into one file, with the certificate first, and point ssl.pemfile at it. Then test the config and restart. You can confirm the chain is complete with our SSL Checker.

How do I verify the SSL certificate is installed on Lighttpd?

Connect to your site with OpenSSL and read the certificate it serves:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If the certificate is installed, this prints its issuer and validity dates. You can also open your site in a browser and check the padlock.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.