Guide to Configuring Let's Encrypt SSL Certificate and Auto-Renewal on OpenLiteSpeed

2020-10-15 · Ryan · Post Comment

OpenLiteSpeed 服务器配置 Let's Encrypt SSL 证书与自动续期指南

Introduction

OpenLiteSpeed does not have an official Let's Encrypt automation module, requiring manual SSL certificate configuration. This guide details the complete process from installing Certbot, generating certificates, configuring OpenLiteSpeed, to setting up automatic renewal.

Install Certbot Client

First, install Certbot using the appropriate command for your operating system.

CentOS 7/8 or RHEL 7/8

yum install certbot

Ubuntu 16.04+ or Debian 9/10+

apt-get install certbot

Debian 8 (Jessie)

apt-get install certbot -t jessie-backports

Generate Let's Encrypt SSL Certificate

Use Certbot's Webroot plugin. Replace /usr/local/lsws/your_web_root/html/ with your actual web root and www.xxx.com with your domain.

certbot certonly --webroot -w /usr/local/lsws/your_web_root/html/ -d www.xxx.com

Upon success, certificates are saved in:

/etc/letsencrypt/live/<yourdomain>/

This directory contains key files like fullchain.pem (certificate chain) and privkey.pem (private key).

Configure SSL in OpenLiteSpeed Admin Panel

Step 1: Configure Port 443 Listener

1. Navigate to the 'Listeners' page.
2. Click 'Add' to create a new listener.
3. Set the listener address to *:443 (or a specific IP).
4. Set 'Secure' to 'Yes' to enable SSL.

Step 2: Assign Domain to Listener

1. Edit the newly created 443 listener.
2. In the 'Virtual Host Mappings' section, select the virtual host for your SSL domain.

Step 3: Set SSL Certificate File Paths

1. Under the listener's 'SSL' tab.
2. Set 'Private Key File' to: /etc/letsencrypt/live/<yourdomain>/privkey.pem
3. Set 'Certificate File' to: /etc/letsencrypt/live/<yourdomain>/fullchain.pem
(Replace <yourdomain> with your actual domain directory name.)

Step 4: Configure SSL Parameters (Optional but Recommended)

For enhanced security, enable:
- SSL Protocol: At least TLSv1.2.
- SSL Session Cache.
- Strong cipher suites.

Step 5: Restart OpenLiteSpeed Service

After configuration, return to the admin homepage and click the 'Restart' button to apply SSL settings.

Set Up Automatic Certificate Renewal

Let's Encrypt certificates are valid for 90 days and must be renewed regularly.

Test Renewal Command

First, perform a dry run to test the renewal process:

certbot renew --dry-run

If successful, you can set up an automated task.

Configure Crontab Task

Use crontab -e to edit the user's cron jobs. Add the following line to check and renew certificates daily at 2:30 AM (renewal occurs if expiry is within 30 days):

30 2 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl restart lsws"

Notes:
- The --quiet flag suppresses output unless renewal is needed.
- The --post-hook command executes after a successful renewal. The example restarts OpenLiteSpeed to load the new certificate. Adjust the restart command as needed (e.g., systemctl restart openlitespeed).

Troubleshooting and Notes

Permissions: Ensure the OpenLiteSpeed user (typically nobody or lsadm) has read access to certificate files in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/.
Path Errors: Use absolute paths in the admin panel and verify file existence.
Firewall: Ensure port 443 is open in the server firewall.
Command Updates: Newer Certbot versions use certbot; use the actual command installed on your system.