Let's Encrypt Integration

Learning Focus

By the end of this lesson you will know how to obtain, install, and auto-renew Let's Encrypt certificates for OpenLiteSpeed using certbot.

What Let's Encrypt Provides

Let's Encrypt is a free, automated certificate authority that provides publicly trusted TLS certificates. It removes cost barriers and encourages secure-by-default hosting.

Installation with Certbot

Step 1: Install Certbot

# Debian / Ubuntu
sudo apt update
sudo apt install certbot

# RHEL / AlmaLinux
sudo dnf install certbot

Step 2: Obtain a Certificate

Since OpenLiteSpeed is not directly supported by certbot's --apache or --nginx plugins, use the webroot or standalone method:

Webroot Method (Server Running)

# Stop nothing — use the existing document root
sudo certbot certonly --webroot \
  -w /var/www/example.com/public \
  -d example.com \
  -d www.example.com

Standalone Method (Port 80 Must Be Free)

# Temporarily stop OpenLiteSpeed
sudo systemctl stop lsws

# Get the certificate
sudo certbot certonly --standalone \
  -d example.com \
  -d www.example.com

# Start OpenLiteSpeed again
sudo systemctl start lsws

Step 3: Configure in OpenLiteSpeed

After certbot generates the certificate:

Certificate: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key: /etc/letsencrypt/live/example.com/privkey.pem

In WebAdmin, go to Listeners → SSL listener
Set Certificate File: /etc/letsencrypt/live/example.com/fullchain.pem
Set Private Key File: /etc/letsencrypt/live/example.com/privkey.pem
Save and Graceful Restart

Step 4: Verify

# Test the certificate
openssl s_client -connect localhost:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates

Auto-Renewal Setup

# Test renewal (dry run)
sudo certbot renew --dry-run

# Add post-renewal hook to reload OpenLiteSpeed
echo '#!/bin/bash
/usr/local/lsws/bin/lswsctrl restart' | sudo tee /etc/letsencrypt/renewal-hooks/deploy/reload-ols.sh
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-ols.sh

Certbot includes a systemd timer that runs renewal checks automatically. The deploy hook ensures OpenLiteSpeed reloads after each successful renewal.

warning

If you do not reload OpenLiteSpeed after renewal, the server continues to serve the old certificate from memory until the next restart.

Key Takeaways

Let's Encrypt is the easiest path to valid TLS for most public sites.
Use the webroot method to avoid downtime during certificate issuance.
Set up a deploy hook to reload OpenLiteSpeed after each renewal.
Always test with openssl s_client to verify the certificate is correct.

What's Next

Continue to Certificate Installation for general certificate setup.

What Let's Encrypt Provides​

Installation with Certbot​

Step 1: Install Certbot​

Step 2: Obtain a Certificate​

Webroot Method (Server Running)​

Standalone Method (Port 80 Must Be Free)​

Step 3: Configure in OpenLiteSpeed​

Step 4: Verify​

Auto-Renewal Setup​

Key Takeaways​

What's Next​