Let's Encrypt is a awesome little service that will provide you a free SSL cert. Right now this is the most hassle free method of getting a cert for a domain. The only drawback is that your cert expire in 3 months before you need to renew it, but I've got this covered in this tutorial.
sudo su -
Stop lighttpd
service lighttpd stop
then run letsencrypt client
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
./letsencrypt-auto certonly --agree-dev-preview --domains sbaronda.com
combine files into ssl.pem
cd /etc/letsencrypt/live/sbaronda.com
cat privkey.pem cert.pem > ssl.pem
Forward Secrecy & Diffie Hellman Ephemeral Parameters
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
Copy and paste the following into /etc/lighttpd/lighttpd.conf
don't forget to change sbaronda.com to your domain
or you can put it into /etc/lighttpd/conf-enabled
as letsencrypt.sbaronda.com.conf
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/sbaronda.com/ssl.pem"
ssl.ca-file = "/etc/letsencrypt/live/sbaronda.com/fullchain.pem"
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
start lighttpd
service lighttpd start
sudo su -
Stop lighttpd
service lighttpd stop
then run letsencrypt client
./letsencrypt-auto certonly --domains sbaronda.com
Select 1. Spin up a temporary webserver (standalone)
option. The command should either exit with an error or tell you the next time the cert will get expired.
combine files into ssl.pem
cd /etc/letsencrypt/live/sbaronda.com
cat privkey.pem cert.pem > ssl.pem
start lighttpd
service lighttpd start