Right; I'm using lighthttpd. This is a good start; it's simple to configuure it for SSL/TLS; just turn on the option. Oh. It won't turn on. Why not? ... beacuse I didn't have openssl installed when I installed it. Fine. Install openssl. (Hah! You think that worked first time? Oh no; I had to install to my limited ram drive, because the install process requires symlinks and I can't do that from my main partition.) Ok installed that. Rebuild and reinstall lighthttpd. Then do it again -rebuild lighthttp with "./configure --with-openssl" because that isn't the default because of course it isn't.
And we're hitting the first stumbling block - lighthttpd isn't one of the servers 'certbot' (the official lets-encrypt client) knows about. Well, we'll try it with some manually configured paths... Oh; that falls over because I don't have yum. Noooot going there. Let's find a different client.
Ok; and... curl fails. With certificate errors. Because, guess what? Curl doesn't know about new enough SSL. (And hey; only took half an hour of googling to guess that.) Download a new version of curl. Build that (Guess what: --with-openssl!) make install and... No change in the cersion of curl. Ok, it put it in a different place. Rename the old one; and the new one is picked up. And... it isn't finding its libraris; old libraries ++ new curl =... GAH. Fine, find them and resymlink them. (Manually, because I don't recall a command similarly to 'which' for libraries; and I'd only be guessing (correctly) that they are named libcurl.)
Ok, fine. And now... it's refusing to download things. Due to certificate errors. Because (use the duck...) ah; my certificate store is out of date. (Poke...) Indeed it seems to be blank. Fine, download a new one. Ironically; I cannot; because it wants me to do so over SSL. Download from desktop, transfer to server. No joy. Try moving to another location. Still no joy. Give up and set an environment variable to forcibly point it at it...
And the script breaks halfway down, because it's trying to use "+=" which my version of bash doesn't support.
... all I wanted was to be a good net citizen and enable https on my website, which is pretty much static content anyway. Ideally; fire and forget (which lets encrypt ALREADY shoots in the foot by requiring short renewal terms). But no.