ssl.pem
Forward Secrecy & Diffie Hellman Ephemeral Parameters
 
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
Copy and paste the following into /etc/lighttpd/lighttpd.conf dont forget to change yourdomain to your domain 
or you can put it into /etc/lighttpd/conf-enabled as letsencrypt.yourdomain.conf
 
$SERVER["socket"] == ":443" {
     ssl.engine                  = "enable" 
     ssl.pemfile                 = "/etc/letsencrypt/live/yourdomain/ssl.pem" 
     ssl.ca-file         =  "/etc/letsencrypt/live/yourdomain/fullchain.pem"
     ssl.dh-file = "/etc/ssl/certs/dhparam.pem" 
     ssl.ec-curve = "secp384r1"
     ssl.honor-cipher-order = "enable"
     ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
     ssl.use-compression = "disable"
     setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
view rawletsencrypt.yourdomain.conf hosted with ❤ by GitHub
now open port and start lighttpd
 
sudo ufw allow 443
sudo service lighttpd start