One of my websites is being hosted using OpenLiteSpeed web server. It was created from a Digital Ocean OpenLiteSpeed WordPress droplet from the DO marketplace. On installation, a certificate was created using Let’s Encrypt but it appears that the renewal of the certificate was not automated. OpenLiteSpeed is a fantastic and extremely fast webserver but there is no integration with the Certbot Let’s Encrypt SSL certificate automation. Well, there probably is, but I haven’t found out how to do it at the moment. For the time being, until I either buy a certificate or find a way to automate it. These are the steps to quickly perform a manual Let’s Encrypt certificate renewal.
Stop the web server
root@webserver:~# service lsws stop
Run certbot to issue another certificate
root@webserver:~# certbot certonly
Choose the method you want to authenticate your domain ownership with the ACME CA. I chose option 1 “Spin up a temporary webserver (standalone)” which is the reason that we stopped the webserver in the first instance as we cannot have two webservers trying to use the same port (s) at the same time.
How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Now type in the domain name(s) that you need the certificate to be issued for
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): example.com
Certbot will go through and do it’s stuff and create the certificate(s) that you need and it will tell you where it has placed the certificate files.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-XX-XX. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Once the certs have been obtained we are going to start up OpenLiteSpeed again
root@webserver:~# service lsws start
Now we have to login in to the LiteSpeed WebAdmin Console at https://example.com:7080. Once you are logged in you need to click on ‘Listeners’ in the left-hand menu. Next, click on ‘View’ for the listener that needs the new certificates. When you are on the correct listener, click on the ‘SSL’ tab at the top. Once there you need to fill out the ‘Private Key File’ and the ‘Certificate File’ information as in the image below.
The locations are symbolic links that go on to the actual certificates which are stored elsewhere in the ‘etc/letsencrypt’ directory structure.
Once this is done, perform a ‘graceful restart’ of LiteSpeed and your new certificate will be installed.