How to Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server

0

Do you know?, Google will begin mark all HTTP pages as ‘Not Secure ‘ in chrome, starting from v62. Google already planned this for coming October and started sending emails to webmasters who are yet to migrate their site to HTTPS, including us.

Google Warning
Google Warning

Now, it’s the time for us to move away from HTTP for better protection and interest of secure transmission of users data.

In earlier days, certificates (SSL) cost us more, but now it’s free with Let’s Encrypt. You don’t even have to spend a penny for getting SSL certificate to make the site secure.

Fyi, Let’s Encrypt is a certificate authority that provides free x.509 SSL certificate for web servers and control panel.

So, planning to move your website to HTTPS then just follow our article.

Install Certbot

To generate a certificate on any system, we should have terminal/shell access, and Certbot ACME client.

Certbot is available on EPEL repository for CentOS 7 / RHEL 7. For Ubuntu, we should configure Certbot PPA.

### CentOS 7 / RHEL 7 ###

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

### Ubuntu ###

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update

Install certbot client using below command.

### CentOS 7 / RHEL 7 ###

yum install certbot

### Ubuntu 16.04 / Debian 9 ###

apt-get install certbot

### Debian 8 ###

apt-get install certbot -t jessie-backports

Install and Start the OpenLiteSpeed Web server

Follow our earlier articles on the installation of OpenLiteSpeed and creating virtual hosts on OpenLiteSpeed.

READ: How to install OpenLiteSpeed on CentOS 7 / RHEL 7

READ: How to install OpenLiteSpeed on Debian 9 / Ubuntu 16.04

Make sure the OpenLiteSpeed web service is up and running.

/usr/local/lsws/bin/lswsctrl status

Output:

litespeed is running with PID 24706.

Create Let’s Encrypt certificate for your domain

During the process of certification, certbot creates .well-known/acme-challenge directory inside the document root of your virtual host. Then, Let’s Encryption validation server performs HTTP requests and validates whether the domain name is correctly pointing to the server running certbot or not.

Therefore, you make sure you properly set up a virtual host for your custom domain and is accessible over the internet.

READ: How to setup virtual hosts on OpenLiteSpeed web server

HTTP Site:

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - HTTP Web Site
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – HTTP Web Site

Create a Let’s Encrypt certificate with the following command.

certbot certonly --webroot -w /usr/local/lsws/web.itzgeek.com/html/ -d web.itzgeek.com

-w : Path of your document root.
-d : FQDN

Follow the interactive prompt and generate a SSL certificate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Using the webroot path /usr/local/lsws/web.itzgeek.com/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem. Your cert will
   expire on 2017-11-24. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Here are the list of .pem files you see under /etc/letsencrypt/live/<yourdomain>/ directory.

cert.pem – SSL certificate of your domain

chain.pem – CA certificate

fullchain.pem – Combined certificate, includes domain and CA certificate.

privkey.pem – Private key

Configure Let’s Encrypt SSL in OpenLiteSpeed

Log in to the OpenLiteSpeed admin console.

 

http://your-ip-add-ress:7080

Go to Listeners and Add a new listener.

Configure Le'ts Encrypt SSL in OpenLiteSpeed Web Server - Listeners
Configure Le’ts Encrypt SSL in OpenLiteSpeed Web Server – Listeners

Name your listener and configure it as shown below.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - Add New Listener
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – Add New Listener

Map your HTTP version of your domain to this secure listener. Go to Listeners –> Your Listener (https://web.itzgeek.com) –> General –> Virtual Host Mappings –> Add.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - Map Virtual Host
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – Map Virtual Host

We will now configure SSL into this virtual host listener. Go to Listeners –> Your Listener (https://web.itzgeek.com) –> SSL –> SSL Private Key & Certificate.

Here, mention the location of the certificate we created earlier using the certbot command. In my case,

Private Key File /etc/letsencrypt/live/web.itzgeek.com/privkey.pem
Certificate File /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem
Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - Configure SSL
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – Configure SSL

Specify which version of the SSL protocol will be used. For that, Go to Listeners –> Your Listener (https://web.itzgeek.com) –> SSL –> SSL Protocol.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - SSL Versions
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – SSL Versions

Restart the OpenLiteSpeed service.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - Restart OpenLiteSpeed Service
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – Restart OpenLiteSpeed Service

Ensure the created Listener is up in OpenLiteSpeed dashboard.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - OpenLiteSpeed Dashboard
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – OpenLiteSpeed Dashboard

Verify HTTPS website

Place index.html on document root of the virtual host.

echo "This page is served by OpenLiteSpeed Web Server with SSL Support" > /usr/local/lsws/web.itzgeek.com/html/index.html

Verify the Let’s Encrypt certificate by going to HTTPS version of your website.

https://your-https-web-site

You should get HTTPS site now.

Configure Let's Encrypt SSL in OpenLiteSpeed Web Server - HTTPS Web Site
Configure Let’s Encrypt SSL in OpenLiteSpeed Web Server – HTTPS Web Site

Renew Let’s Encrypt Certificate

Let’s Encrypt certificates come with a validity of 90 days, and it is highly advisable to configure the cron job (Linux Scheduler) to renew Let’s Encrypt certificates before they expire.

Before you configure a cron job, run the below command to simulate the automatic renewal of your certificate.

certbot renew --dry-run

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/web.itzgeek.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for web.itzgeek.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/web.itzgeek.com/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/web.itzgeek.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

You can now set up a cron job for the below command to run twice per day.

certbot renew

That’s All.

You might also like