Hi, I just came across your guide.
I wonder why are you doing it in so complicated way. All I had to do to get a Let’s Encrypt certificate was to unfirewall ports 80 and 443 from the WAN side and call acme.sh like this:
/root/.acme.sh/acme.sh --issue -w /www/ --reloadcmd '/root/.acme.sh/lighttpd-reload.sh' --keylength ec-256 -d <domain name>
The script /root/.acme.sh/lighttpd-reload.sh is just combining private key and certificate into a single file that can be read by lighttpd and then reloads lighttpd . I’ve covered the details long time ago and today I confirmed it still works as expected, plus no changes to Foris is necessary anymore.
I believe there’s no need to stop the lighttpd before every renewal nor to change any firewall rules. Am I missing something?