(1 votes, average: 5.00 out of 5)
Loading...How to Install an ACME SSL Certificate on LiteSpeed using Acme.sh?
(1 votes, average: 5.00 out of 5)Loading...
Using an SSL/TLS to secure your website is no longer a choice, and manually managing certificates will soon be a thing of the past. The way to automate SSL issuance and renewal using the ACME protocol, even if you use a commercial certificate authority such as DigiCert or Sectigo, is to do so using the method described in this guide.
This guide will teach you to install an ACME SSL certificate on LiteSpeed (either OpenLiteSpeed or LiteSpeed Enterprise), using the acme.sh client with External Account Binding (EAB). Once everything is configured correctly, your certificates will be automatically renewed with zero user intervention.
Prerequisites
Before beginning your installation, ensure you have completed the following prerequisite steps:
- Either OpenLiteSpeed or LiteSpeed Enterprise must be installed on your server.
- Root or sudo access to SSH must be provided on the server you are using.
- You must have a domain with an A or AAAA record pointing to your LiteSpeed web server.
- You must have obtained your EAB credentials from your certificate authority, including EAB Key ID (KID) and EAB HMAC Key.
- Ensure Port 80 is open and ready to receive HTTP traffic, which is required to validate the certificate.
- You must have an outbound HTTPS access (Port 443) available to your certificate validation websites.
Litespeed Webserver ACME SSL/TLS Installation Guide
Step 1: Install ACME.sh
The first step to installing your ACME SSL Certificate is to install acme.sh, the ACME Client used to issue and renew your SSL Certificates.
To do this, you must first establish a connection to your server and then execute the following commands in your terminal via SSH:
curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --versionIf the installation fails, this typically indicates missing dependencies such as curl or git, or a partially installed application that may require a forced reinstall for completion. This will be the key component of your SSL automation process.
Step 2: Create an ACME Account with your Certificate Authority’s EAB Credentials
After you have installed ACME .sh, you need to create your ACME account using the EAB credentials from your chosen Certificate Authority (CA). You need to link your ACME account to a commercial CA (such as DigiCert or Sectigo).
This way, you can request SSL certificates that the CA trusts, and that will be used by your ACME account to request SSL certificates for your website.
acme.sh --issue \
-d yourdomain.com \
-w /path/to/webroot \
--server https://acme.sectigo.com/v2/DVAs part of registering your account, you will need to provide your EAB Key ID, HMAC key, and email address. If you already have an ACME account registered with the same credentials, ACME.sh will automatically reuse it.
The only reasons for the registration to fail at this point in time are if you provided incorrect EAB credentials or if your Internet connection is blocked from making outbound HTTPS requests.
Step 3: Request an SSL Certificate for your Website Using the Webroot Validation Method
Once you have registered your ACME account, you can request an SSL certificate for your website using the webroot validation method.
When you use this method, the tool will create a temporary validation file in your web application’s document root. When you request an SSL certificate, the CA will check if the temporary validation file exists via HTTP.
acme.sh --register-account \
--server https://acme.sectigo.com/v2/DV \
--eab-kid EAB_KID \
--eab-hmac-key EAB_HMAC_KEY \
--accountemail [email protected]This method is the best choice in production environments because there is no need to stop the LiteSpeed server.
However, you need to verify that your domain is pointing properly to your server (the webroot path must be correct, and verify that port 80 is open for HTTP validation). Any of the above may result in authorisation errors when issuing your certificate.
Step 4: Install the Certificate in LiteSpeed
Now that your certificate has been issued successfully, the next step is to install that certificate into LiteSpeed and configure it for automatic reloads. Start by creating a dedicated directory for storing the certificate and key files.
Next, install your certificate with the ACME.sh utility and create a reload command for LiteSpeed so that it automatically reloads when the certificate is renewed. This is very important, as without a properly configured reload, your server will continue to serve the outdated certificate after it has been renewed.
4.1 Create Certificate Directory
mkdir -p /usr/local/lsws/conf/cert/yourdomain.com4.2 Install Certificate and Enable Auto Reload
acme.sh --install-cert -d yourdomain.com \
--key-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key
--fullchain-file /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt \
--reloadcmd "/usr/local/lsws/bin/lswsctrl reload"The –reloadcmd ensures LiteSpeed automatically reloads after renewal.
Step 5: Configure HTTPS in LiteSpeed
After the certificate has been installed, it is time to configure LiteSpeed to provide secure services via HTTPS. This means setting up a secure listener on port 443 through the LiteSpeed WebAdmin panel and linking it to the certificate and key files. You also need to map the domain name to a specific virtual host.
Add HTTPS Listener (Port 443)
- Go to WebAdmin → Listeners → Add
- Configure:
- Name: HTTPS
- IP: ANY
- Port: 443
- Secure: Yes
Configure SSL Paths
- Private Key: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.key
- Certificate: /usr/local/lsws/conf/cert/yourdomain.com/yourdomain.com.crt
Once you have completed the configuration, by restarting LiteSpeed, you will enable HTTPS for your site. If there is an error in the certificate path or with the listener configuration, you will not be able to use HTTPS; therefore, verification of those settings is necessary.
Step 6: Verify SSL Installation
Verifying that your SSL certificate works properly after you finish configuring HTTPS is extremely important. To do this, you can visit your website in a web browser using HTTPS (https://yourdomain.com) and check for any browser warning messages or mismatches in your SSL certificate on your web browser.
Check that:
- There are no warning messages or errors in your web browser.
- You are using the correct domain name (the one in the Common Name or Subject Alternative Name of your certificate).
- Your SSL certificate is valid.
If you follow these steps correctly, you will have a successful setup, showing that a secure connection is present and that you are using the correct domain name. This will ensure that your SSL certificate is properly installed and recognised by all of the common web browsers.
Step 7: Verify and Test Auto Renewal
The last step is verifying the automatic renewal configuration. ACME.sh creates a cron that executes once a day to check whether the certificate(s) are expiring, and if so, will create a new one(s).
Two ways to perform your verification are to check if the cron job exists and perform a manual verification test on the renewal.
crontab -lYou should see:
acme.sh --cronForce Renewal Test:
acme.sh --renew -d yourdomain.com --forceLiteSpeed should automatically reload and start serving the newly issued certificate(s) by way of the manual test you performed. If this process went off without a hitch, your SSL lifecycle exists without any additional work for you on your Website.
Conclusion
Once you configure your system, the renewal of your certificates occurs without issue in the background, which means that your Website remains secure without the requirement for any additional monitoring or maintenance.
However, having the right SSL provider is equally important as configuring the SSL successfully. By working with CheapSSLWEB, you’ll have access to quality products from some of the most trusted CAs in the industry, and you will have competitive pricing and dependable service to help you with your deployment.
