RPI Webserver Setup =================== 1. Requirements: - some RPI with both an internal and external static IP address, - enough disk space to hold page content, - sufficient control over the router to configure port forwarding. 2. Update system to current, install lighttpd and certbot: root@pi4b02:/home/pi# apt update [...] root@pi4b02:/home/pi# apt upgrade -y [...] root@pi4b02:/home/pi# apt install -y lighttpd certbot Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: [...] root@pi4b02:/home/pi# Certbot drags in a boatload of Python3 modules. 3. Check if lighttpd is running: root@pi4b02:/home/pi# systemctl | grep lighttpd lighttpd.service loaded active running Lighttpd Daemon root@pi4b02:/home/pi# 4. Is it listening? Find out: root@pi4b02:/home/pi# netstat -an | grep '^tcp' | grep LISTEN | grep :80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN root@pi4b02:/home/pi# 5. Anything to see? Check http://127.0.0.1/ root@pi4b02:/home/pi# wget http://127.0.0.1/ --2026-03-10 13:09:10-- http://127.0.0.1/ Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2026-03-10 13:09:10 ERROR 403: Forbidden. root@pi4b02:/home/pi# 6. Add some content: For ease of abuse, we'll clone dallasrpi.org: wget -e robots=off -m -np https://dallasrpi.org/ Once that completes, move the contents underneath dallasrpi.org to /var/www/html. With that in place, the main page at http://dfwrpi.org/ becomes available. There is no https:// access just yet, for this the configuration needs tweaking, as well as a certificate obtained from letsencrypt.org. Depending on the age of lighttpd's release, an attempt to access the /Files/ section might result in a 403 Forbidden. In that case, in /etc/lighttpd/conf-enabled, create a symlink pointing to ../conf-available/10-dir-listing.conf, under the same name. Restart lighttpd right after. 7. Create a Certbot account: root@pi4b02:~# certbot register --standalone Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): blah@fasel.dev - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. root@pi4b02:~# 8. Obtain a certificate Stop the webserver, invoke "certbot certonly --standalone -d hostname1 -d hostname2...", then restart the webserver: root@pi4b02:~# systemctl stop lighttpd root@pi4b02:~# certbot certonly --standalone -d dfwrpi.org -d www.dfwrpi.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for dfwrpi.org and www.dfwrpi.org Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/dfwrpi.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/dfwrpi.org/privkey.pem This certificate expires on 2026-06-09. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - root@pi4b02:~# systemctl stop lighttpd 9. Configure lighttpd for https Lighttpd's certificate configuration is a bit unique, as it expects certificate and private key combined in the same .pem file. The "lighttpd-cert-renew.sh" script found on this page does that. Invoke it reasonably sparingly and often as a cronjob. Be advised that the script takes down lighttpd for the renewal's duration. The "echo 2" before the certbot invocation handles the scenario where a renewal is requested too early. Without it running certbot unattended would hang: You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/dfwrpi.org.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): Renewing an existing certificate Performing the following challenges: http-01 challenge for dfwrpi.org http-01 challenge for www.dfwrpi.org Waiting for verification... Cleaning up challenges In /etc/lighttpd, rename the original lighttpd.conf to lighttpd.conf.orig, then deploy the lighttpd.conf found on this page. Might want to review both script and configuration before going live.