LS 5.3.6 - letsencrypt cert renews, but lsws keeps serving old cert until graceful restart

[c0ldshadow]

Hi, I'm on LS 5.3.6. One of my letsencrypt certs expired yesterday but successfully renewed via certbot renew. Everything worked correctly from certbot...

However, my website kept serving the old/invalid cert until I manually logged in to lsws console and did a graceful restart.

Is this a known issue? Please advise if any suggestions or if need any other logs/etc to troubleshoot

Thanks!!

-Avery

 

[Pong]

You should add service lsws restart after your ssl cerrificate renew/change to let server to pick up the change.

 

[imkh]

You should add service lsws restart after your ssl cerrificate renew/change to let server to pick up the change.

Can you please elaborate? Where do we add "service lsws restart" so it happens automatically when CertBot renews the certificate?

 

[Unique_Eric]

Hi,

If there's no control panel to handle it, you edit /etc/cron.d/certbot , and add --deploy-hook "/usr/local/lsws/bin/lswsctrl restart" hook to the end of the default certbot command.

Best,
Eric

 

[imkh]

But there is a control panel: OpenLiteSpeed 1.4.46.

Hi,

If there's no control panel to handle it, you edit /etc/cron.d/certbot , and add --deploy-hook "/usr/local/lsws/bin/lswsctrl restart" hook to the end of the default certbot command.

Best,
Eric

 

[Unique_Eric]

Hi,

OpenliteSpeed control panel only provide web server setup. Please add the previous suggestion to get the certbot renew.

Best

 

[imkh]

Hi,

OpenliteSpeed control panel only provide web server setup. Please add the previous suggestion to get the certbot renew.

Best

Oh weird, I just checked /etc/cron.d/certbot and it already had that restart command. I wonder why it still needed a manual restart? Odd.

 

[oliverbythesea]

I'm in the same situation, /etc/cron.d/certbot is correctly configured, the certificate is being renewed by certbot but the server doesn't restart. I have to manually login & restart the server. If I don't the website keep serving the old certificate (although certbot has already renew it).

I'have also tried to add a certbot post hook but with no success..

 

[Unique_Eric]

Hi,

Do you see any restart log shows in /usr/local/lsws/logs/lsrestart.log if you run the whole command manually, e.g.

certbot renew -q --deploy-hook 'systemctl restart lsws'

If failed, please check if there's any useful message in "/var/log/letsencrypt/letsencrypt.log"

Best,
Eric

 

[oliverbythesea]

Hi,

No restart logs other than the ones I did manually

certbot renew...

=> no renewal failures, Cert not yet due for renewal

I'm sure it's pretty dumb

This is on a DigitalOcean with a pre-made OLS image/droplet

edit: I'll try the

certbot renew...

with the force option

 

[Unique_Eric]

Right, the deploy hook only works if renew success, so you might need to use force-renew or dry-run to trigger it.

How about post hook, https://certbot.eff.org/docs/using.html?highlight=renew#pre-and-post-validation-hooks
But I feel post hook is not ideal, even worse than a cron to restart lsws per three days.

The certbot post issue happens before, but not in many cases. Please let us know what you got so we can improve it or maybe not to use the --deploy-hook.

 

[oliverbythesea]

Hi Eric,

I got it working with `certbot renew -q --deploy-hook 'systemctl restart lsws'` !

I think I need to update my cron to use "systemctl restart lsws" instead of "/usr/local/lsws/bin/lswsctrl restart", I'm not sure why the latter does not work... Maybe it's not being run by the correct user ?

Thanks you for the support

 

[qtwrk]

Hi Eric,

I got it working with `certbot renew -q --deploy-hook 'systemctl restart lsws'` !

I think I need to update my cron to use "systemctl restart lsws" instead of "/usr/local/lsws/bin/lswsctrl restart", I'm not sure why the latter does not work... Maybe it's not being run by the correct user ?

Thanks you for the support

it's some update in systemd

in "ancient" time , systemd doesn't "care" who started the process and it just takes control of it

but in recent (like a year ago?) systemd update , it only "take care" process started by systemd

by that means , if you run `lswsctrl start`, then `systemctl stop/restart lsws` , it won't work , as the intial start up was not done by systemd , it will throw wanring and ignore the action.

 

[v12nation]

I have this same exact issue from digitalocean droplets preinstalled with litespeed. Two different servers did the same exact thing. The cert renewed but lsws failed to restart.

 

[Unique_Eric]

Please try the following commands, next time cert renew should restart LSWS successfully.

/usr/local/lsws/bin/lswsctrl stop >/dev/null
systemctl stop lsws >/dev/null
systemctl start lsws >/dev/null

 

[v12nation]

Please try the following commands, next time cert renew should restart LSWS successfully.

/usr/local/lsws/bin/lswsctrl stop >/dev/null
systemctl stop lsws >/dev/null
systemctl start lsws >/dev/null

will do! thanks!

 

[v12nation]

Hey, the issue happened again! The cert renewed but I still had to manually restart OLS

 

[Unique_Eric]

Hi @v12nation,

Could you double confirm that the Certbot cronjob has OLS restart hook setup correctly?

 

[Centos]

Hi,

I am having the exact same issue. Certificate renews fine but LSWS doesn't restart.

/etc/cron.d/certbot has this in it which appears to be correct.

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"

Please help

 

[icyK]

I'm having the same issue and it's been going on for about a year. I have a few threads addressing it on the Letsencrypt forum too (Browsers not picking up new SSL certificates).

I do have an error in my debug log /var/log/letsencrypt/letsencrypt.log

2021-02-26 00:28:09,136:ERROR:certbot.hooks:Hook command "/usr/local/lsws/bin/lswsctrl reload" returned error code
2

What does this mean? How can I fix it?