Lighttpd - Install SSL Certificate

Last updated on 28 Sept 2023, 10:23:11.
Category: All about SSL certificates

Lighttp Linux

Lighttpd - SSL certificate installation

This article assumes you've received your certificate from the Certificate Authority, and that you wish to install it on your Nginx webserver. If you want to know how to request a certificate, please consult the « How to generate a certificate request with OpenSSL » article.

Step 1: Building a certificate bundle (optional)

Lighttpd uses one directive in its configuration to identify your own SSL certificate, and one to identify the Certificate Authorities' intermediate and root certificates.

Depending on the Certificate Authority you ordered your certificate from, you may receive the certificates either as distinct files, all bundled in one file, or your certificate in one file and all CA certificates in a bundle. Most commonly, you will receive your own certificate as a separate file, and another file containing intermediate and root certificates for use in Apache and Lighttpd.

If you have received separate files from the CA, use the following command to concatenate the certificates in reverse order. If there's only one intermediate certificate, you only need to concatenate that one, of course.

cat intermediate_2.crt intermediate_1.crt CA_root.crt >> /etc/certs/bundle.crt

The order in which you concatenate the certificates is important:

  • First the intermediate certificate, usually one, sometimes two
  • Then the root certificate

The root certificate is not strictly needed in this list, since browsers have CA's root certificates built-in, however it may be best practice to include it.

If you received your own certificate in a separate file, just move the files over to your certificate directory, for instance /etc/certs.

Step 2: Concatenate your key and your certificate

Unlike Apache, Lighttpd requires your key and your SSL certificate in a single file. Bundle them together with the following command:

cat www.mydomain.com.key www.mydomain.com.crt > www.mydomain.com.pem

Step 3: Edit the Lighttpd configuration

Add the lines below to your Lighttpd config file, usually to be found at /etc/lighttpd/lighttpd.conf. Note that in the example below, you should modify the paths so that they point to your website's root directory, and the SSL directives so they point to your SSL certificate and your private key. It may be easier to copy and modify an existing server entry in your config file.

var.confdir = "/etc/certs"
$SERVER["socket"] == "*:443" {
 ssl.engine = "enable"
 ssl.pemfile = var.confdir + "/www.mydomain.com.pem"
 ssl.ca-file = var.confdir + "/bundle.crt"
 server.name = "www.mydomain.com"
 server.document-root = "/home/www/public_html/www.mydomain.com/public/"
}

Please note that the above is only a minimal working server configuration, and that your web server should be tuned for optimum security and performance. You may want to check out our articles on tuning and securing Lighttpd in the Knowledge Base.

Step 4: Test your configuration

It's good practice to check your server configuration before restarting Lighttpd.

lighttpd -t -f lighttpd.conf

Step 5: Restart Lighttpd

Restart Lighttpd to apply your new configuration:

/etc/init.d/lighttpd restart

Step 6: Troubleshooting

If you didn't concatenate your certificates in the correct order, Lighttpd will fail to start and display an error similar to the following one:

SSL_CTX_use_PrivateKey_file(" ... /www.mydomain.com.key") failed
 (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)

In that case, try to concatenate your certificate files in the correct order again.

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/CN=www.kinamo.be
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Step 7: Security Test

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.


Related articles

Hoe de taal van Kinamo webmail aanpassen

Dit FAQ-artikel legt uit hoe je de taal van de gebruikersinterface kunt aanpassen in Kinamo Webmail

Read more

Can I read my e-mail online (through webmail)?

Each Kinamo e-mail address can be checked through an extensive webmail e-mail client. The only thing you need are an...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

Do you have an email with Kinamo? Discover here how to create a special filter via Kinamo Webmail to keep...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language

All languages: