Lighttpd

It is a bad idea to nest $SERVER["socket"] inside any other condition, and might be an error in the upcoming lighttpd 1.4.60.

Configuration: File Syntax

$SERVER["socket"] ... Valid in global scope. Placing $SERVER["socket"] inside other conditions may have undesirable results (and would be rejected if not for historic (mis)use).

lighttpd TLS docs

Note: ssl.* configuration options are generally valid only in global scope or in the top level of a $SERVER["socket"] configuration condition, as they are needed when the socket connection is established, before the host is known. In cases where the client adds SNI (server name indication), some ssl.* options can be specified in $HTTP["host"] or $HTTP["scheme"] conditions, e.g. to select certificates for that specific connection. All other conditions occur after TLS negotiation has completed, so ssl.* directives nested in other configuration conditions may be ignored, including $SERVER["socket"] or $HTTP["host"] or $HTTP["scheme"] nested in other configuration conditions.

Since clients might make requests without providing a Host header, you need default configs for each listening socket. For the default server.port=80 and server.bind=0.0.0.0 (which can be changed), server.document-root is what is used. For TLS, you additionally need to configure a default certificate, which can be self-signed if you merely want a throw-away response.

Why do you think you need to use server.use-ipv6 = "enable"? It is always enabled with an IPv6 address. I do not think that you need it.

This template might help you:

server.document-root = "/path/to/default/host/docroot" 
$SERVER["socket"] == "0.0.0.0:80" { }
$SERVER["socket"] == "[::]:80"    { }

ssl.pemfile = "/path/to/default/host/certs/cert.pem" 
$SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443"    { ssl.engine = "enable" }

# You could list this once if the rest of the config is shared,
# and could even add the $HTTP["host"] == "ccc.org.ua" { ... } to the include file.
# Definitions for ssl.pemfile for the virtual host are used when ssl.engine = "enable" 
# and have no effect on sockets where TLS is not enabled.
#
$HTTP["host"] == "ccc.org.ua" {
    include "ccc.org.ua.conf" 
}

# If you additionally need to change config based on TLS or not,
# then you can differentiate your configs in two blocks,
# one for "http" and one for "https".  This could be part of
# "ccc.org.ua.conf" if the behavior is for specific virtual hosts
# and can not be generalized here.
#
$HTTP["scheme"] == "https" {

}
else {

}

SSL: no certificate/private key for TLS server name . $SERVER["socket"] should not be nested in other conditions.

That might be clearer as TLS server name "". lighttpd did not have a valid server name or TLS certificate configured at the point where this error was presented. This can happen if you made a TLS connection directly to the IP address, without using an SNI host name. As mentioned above, nesting $SERVER["socket"] inside other conditions is an error.

BTW, you can include your "ssl_enable.conf" in the global setting for all TLS sockets to inherit those tunings, but omit ssl.engine = "enable" from the include if you use the template above.

Alternatively, you can invert the logic and set

server.port = 443
include "ssl_enable.conf" 
ssl.pemfile = "/path/to/default/host/certs/cert.pem" 
$SERVER["socket"] == "0.0.0.0:80"  { ssl.engine = "disable" }
$SERVER["socket"] == "[::]:80"     { ssl.engine = "disable" }
$SERVER["socket"] == "0.0.0.0:443" { }
$SERVER["socket"] == "[::]:443"    { }

Thanks for the answer.
So I tried the template you provided like this:

# ===> Enable all 4 proto combinations (ipv4+http, ipv4+https, ipv6+http, ipv6+https)
#
$SERVER["socket"] == "0.0.0.0:80" { }
$SERVER["socket"] == "[::]:80"    { }
#
ssl.pemfile = "/www/default/certs/default.pem" 
ssl.ca-file = "/www/default/certs/ca.crt" 
$SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443"    { ssl.engine = "enable" }
#
# ===> Common SSL/TLS tuning
#
include "ssl_enable.conf" 
#
# ===> ccc.org.ua
#
$HTTP["host"] == "ccc.org.ua" {
        include "ccc.org.ua.conf" 
}

But with this config only HTTPS is now working (both over IPv4 and IPv6). HTTP is not working on either IP version, just forcibly closing the connection instead of any response. I wrote a simple test script using Curl that tries to connect to the server in all 4 possible combinations, and now two of them fail (ipv4+http and ipv6+http). The error log shows this:

2021-09-26 12:06:19: server.c.1566) server started (lighttpd/1.4.60-devel-lighttpd-1.4.59-396-g6ffabc96)
2021-09-26 12:06:22: mod_openssl.c.3292) SSL: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
2021-09-26 12:06:22: mod_openssl.c.3292) SSL: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
2021-09-26 12:06:23: mod_openssl.c.3292) SSL: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
2021-09-26 12:06:23: mod_openssl.c.3292) SSL: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
2021-09-26 12:06:27: server.c.1019) [note] graceful shutdown started
2021-09-26 12:06:27: server.c.2070) server stopped by UID = 0 PID = 0
2021-09-26 12:06:27: server.c.2070) server stopped by UID = 0 PID = 0

I am confused as to what to do.

BTW, you can include your "ssl_enable.conf" in the global setting for all TLS sockets to inherit those tunings, but omit ssl.engine = "enable" from the include if you use the template above.

Oh, yes, that was the reason. Thank you again, it is now seems to be working as intended.

BTW, ssl.ca-file = "/www/default/certs/ca.crt" is discouraged in new configs unless you are configuring ssl.ca-file for use with client certificate verification.
Instead, you should include the intermediate certificates in ssl.pemfile.
Please see lighttpd TLS docs for more details.