SSL Listener
Learning Focus
By the end of this lesson you will know how to create and configure an SSL listener in OpenLiteSpeed with a certificate, private key, and modern TLS protocol settings.
What an SSL Listener Does
An SSL listener terminates HTTPS traffic, usually on port 443. It handles the TLS handshake, decrypts the request, and passes the plaintext HTTP request to the virtual host.
Required Components
| Component | Description | Example Path |
|---|---|---|
| Certificate file | The public certificate or full chain | /etc/ssl/certs/example.pem |
| Private key | The matching private key | /etc/ssl/private/example.key |
| CA bundle | Intermediate certificates (if not in the cert file) | /etc/ssl/certs/ca-bundle.pem |
Creating an SSL Listener in WebAdmin
- Navigate to Listeners → Add New Listener
- Set Listener Name:
HTTPS - Set Address:
*(all interfaces) - Set Port:
443 - Set Secure:
Yes - Save, then click the listener name to edit SSL settings:
- Private Key File:
/etc/ssl/private/example.key - Certificate File:
/etc/ssl/certs/example.pem - Chained Certificate:
Yes(if cert includes intermediates)
- Private Key File:
- Under SSL Protocol, configure:
- Protocol Version: TLS v1.2 and TLS v1.3
- Disable SSLv3, TLS 1.0, and TLS 1.1
- Save and Graceful Restart
Enabling HTTP/2 and HTTP/3
Under the listener's SSL settings:
| Setting | Recommended Value |
|---|---|
| Enable HTTP/2 | Yes |
| Enable HTTP/3 (QUIC) | Yes (if firewall allows UDP 443) |
info
HTTP/3 uses UDP instead of TCP. Ensure your firewall allows UDP traffic on port 443, or HTTP/3 will silently fail.
Verifying SSL Configuration
# Test the TLS handshake
openssl s_client -connect localhost:443 -servername example.com
# Check certificate details
openssl s_client -connect localhost:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -subject -issuer -dates
# Check TLS versions supported
nmap --script ssl-enum-ciphers -p 443 localhost
Common SSL Listener Errors
| Error | Cause | Fix |
|---|---|---|
| Listener fails to start | Wrong cert or key path | Verify paths with ls -la |
ERR_SSL_PROTOCOL_ERROR | Cert/key mismatch | Regenerate matching pair |
Cloudflare 525 | Handshake failure at origin | Check all SSL listener settings |
| Browser shows wrong cert | SNI misconfiguration | Map domains to correct vhosts |
Key Takeaways
- The SSL listener is the foundation of secure public traffic.
- Certificate correctness and file permissions matter — always verify with
openssl. - Enable TLS 1.2+ only and disable outdated protocols.
- HTTP/2 is a strong default; HTTP/3 needs UDP firewall rules.
What's Next
- Return to the Server Configuration overview to explore virtual hosts and server settings.